b'                                            UNCLASSIFIED\n\n\n\n\n\n                   UNITED STATES DEPARTMENT OF STATE \n\n               AND THE BROADCASTING BOARD OF GOVERNORS\n\n                               OFFICE OF INSPECTOR GENERAL\n\n\nAUD-FM-13-17                                     Office of Audits                                  December 2012\n\n\n\n\n Audit of Nonproliferation and Disarmament \n\n   Fund Controls Over Contracting and \n\n   Project Management and Integrity of\n\n              Financial Data\n\n\n\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or\nthe Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by\nthe Inspector General. Public availability of the document will be determined by the Inspector General under the\nU.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n\n                                            UNCLASSIFIED\n\n\x0c                                                              Uniled Stales Department of State\n                                                              and lhe Broadcasting Boarel of Governors\n\n                                                              Office of Inspector General\n\n\n\n\n                                            PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one ofa series\nof audit, inspection, investigative, and special reports prepared as part of the OffIce of Inspector\nGeneral\'s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n        This report addresses the Bureau of International Security and Nonproliferation,\nNonproliferation and Disarmament Fund\'s controls over the contracting and project management\nprocesses and the integrity of the Fund\'s financial data. The report is based on interviews with\nemployees and officials of the Fund, direct observation, a review of applicable documents, and\ntests of controls and financial data.\n\n       OIG contracted with the independent public accountant Kearney & Company, P.C., to\nperform this audit, which was requested by Fund management. The contract required that\nKearney & Company perform its audit in accordance with guidance contained in the Governmenl\nAudiling Slandards, issued by the Comptroller General of the United States. Kearney &\nCompany\'s report is included.\n\n       Kearney & Company determined that the Fund\'s controls over the contracting process\nwere sufficient to meet many objectives but needed improvement. Although the Fund\nsuccessfully executed projects around the world to achieve nonproliferation goals, projects were\nnot managed consistently, and available project management functionalities were not always\nused. Further, financial data was not always accurate, complete, or recorded timely.\n\n        OIG evaluated the nature, extent, and timing of Kearney & Company\'s work; monitored\nprogress throughout the audit; reviewed Kearney & Company\'s supporting documentation;\nevaluated key judgments; and performed other procedures as appropriate. OIG concurs with\nKearney & Company\'s findings, and the recommendations contained in the report were\ndeveloped on the basis of the best knowledge available and were discussed in draft form with\nthose individuals responsible for implementation. OIG\'s analysis of management\'s response to\nthe recommendations has been incorporated into the report. OIG trusts that this report will result\nin more effective, efficient, andlor economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n                                         Harold W. Geisel\n                                         Deputy Inspector General\n\x0c                                                         1701 Duke Street, Suite 500, Alexandria, VA 22314\n                                                         PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com\n\n\n\n\nAudit of Nonproliferation and Disarmament Fund Controls Over Contracting and Project\nManagement and Integrity of Financial Data\n\n\nOffice of Inspector General\nU.S. Department of State\nWashington, D.C.\n\n\nKearney & Company, P.C. (Kearney) has performed an audit of Nonproliferation and Disarmament\nFund controls over contracting and project management and integrity of financial data. This\nperformance audit, performed under Contract No. SAQMMA09D0002, was designed to meet the\nobjective identified in the report section titled \xe2\x80\x9cObjectives\xe2\x80\x9d and further defined in Appendix A,\n\xe2\x80\x9cScope and Methodology,\xe2\x80\x9d of the report.\n\nKearney conducted this performance audit from February 2012 through September 2012 in\naccordance with Government Auditing Standards, 2011 Revision, issued by the Comptroller\nGeneral of the United States. The purpose of this report is to communicate the results of\nKearney\xe2\x80\x99s performance audit and its related findings and recommendations.\n\nKearney appreciates the cooperation provided by personnel in Department offices during the\naudit.\n\n\n\n\nKearney & Company, P.C.\nAlexandria, Virginia\nSeptember 5, 2012\n\x0c                                  UNCLASSIFIED\n\n\n\n\nAcronyms\n\nA/LM/AQM \t   Bureau of Administration, Office of Logistics Management, Office of\n             Acquisitions Management\nCGFS\t        Bureau of the Comptroller and Global Financial Services\nCLIN \t       Contract Line Item Number\nCN           \tcongressional notification\nCOR          \tcontracting officer\xe2\x80\x99s representative\nFIMS \t       Financial and Information Management System\nGFMS \t       Global Financial Management System\nISN \t        Bureau of International Security and Nonproliferation\nMOU          \tMemorandum of Understanding\nNDF \t        Nonproliferation and Disarmament Fund\nNIST \t       National Institute of Standards and Technology\nOIG \t        Office of Inspector General\nPM           p\t roject managers\nPMBOK \t      Project Management Body of Knowledge\nPSC          p\t ersonal services contractor\nULO          u\t nliquidated obligation\n\n\n\n\n                                  UNCLASSIFIED\n\n\x0c                                                            UNCLASSIFIED\n\n\n\n                                                         Table of Contents \n\n\nSection                                                                                                                                      Page\nExecutive Summary ........................................................................................................................ 1\n\xc2\xa0\n\n\nBackground..................................................................................................................................... 2\n\xc2\xa0\n\n\nObjectives ....................................................................................................................................... 7\n\xc2\xa0\n\n\nAudit Results................................................................................................................................... 8\n\xc2\xa0\n           Finding A. NDF Contracting Process Controls Are in Place but Need Improvement ...... 8\n\xc2\xa0\n           Finding B. Project Management Controls Need Improvement ....................................... 17\n\xc2\xa0\n           Finding C. Data Integrity and Reporting Capabilities Need Improvement To Produce \n\n                      Auditable Financial Reports .......................................................................... 25\n\xc2\xa0\n\n\nList of Recommendations ............................................................................................................. 36\n\n\nAppendices\n      A. Scope and Methodology............................................................................................... 38\n\xc2\xa0\n      B. Assessment of Contracting Controls ............................................................................ 47\n\xc2\xa0\n      C. Notable Financial and Information Management System Reports .............................. 48\n\n      D. Bureau of International Security and Nonproliferation Response ................................49 \n\n\n\n\n\n                                                            UNCLASSIFIED\n\n\x0c                                       UNCLASSIFIED\n\n\n\n                                    Executive Summary\n        The Nonproliferation and Disarmament Fund (NDF), an office within the Bureau of\nInternational Security and Nonproliferation (ISN), was created to enable the U.S. Government to\nrapidly respond to nonproliferation opportunities. When an office within the Department of\nState (Department) or other U.S. Government agency identifies a nonproliferation opportunity\nthat was not anticipated or budgeted, the office or agency submits a project proposal to NDF.\nNDF\xe2\x80\x99s projects span the world and include eliminating chemical weapons production equipment\nin the Balkans and facilitating the safe removal of nuclear infrastructure from Libya. To execute\nprojects, NDF relies on third-party contractors and offices within the host countries, such as the\nMinistry of Defense.\n\n        NDF requested that Kearney & Company, P.C. (Kearney), acting on behalf of the Office\nof Inspector General (OIG), perform this audit to assess NDF\xe2\x80\x99s controls over contracting and\nproject management. NDF also requested that Kearney determine whether the data recorded in\nNDF\xe2\x80\x99s internal financial and project management system, the Financial and Information\nManagement System (FIMS), was valid and whether FIMS had sufficient reporting capabilities.\n\n       Kearney found that NDF\xe2\x80\x99s controls over the contracting process were sufficient to meet\nmany objectives but needed improvement to ensure compliance with all Federal and Department\nrequirements. Controls over contract initiation and modification, invoice approval, and contract\ncloseout were well designed but were not consistently executed. The procurement request\npackage for 13 of 28 contract initiations tested did not contain all necessary documents, four of\n28 procurement requests tested were not approved by the NDF Director, and three of 17 contract\nmodifications tested were not approved, as required. There was no documentation of the project\nmanager\xe2\x80\x99s (PM) certification of the receipt of goods or services for 36 of 143 invoices tested and\nno evidence that third-party verifications were obtained, when it appeared necessary, for 69\ninvoices. Improvement in some of these areas occurred during the FY 2011\xe2\x80\x932012 period.\nKearney also noted that NDF did not have sufficient controls over unliquidated obligations\n(ULO), a control to close out contracts in a timely manner, or a process to document the projects\nfor which NDF\xe2\x80\x99s authority to waive Federal requirements is used. The lack of sufficient controls\nover contracting could result in, among other things, delays in contract initiation and\nmodification, improper payments to contractors, and delays in project implementation and\nexecution.\n\n        NDF had successfully executed projects around the world to achieve nonproliferation\ngoals, and Kearney generally found that PMs effectively managed the status of their projects.\nHowever, Kearney found that PMs did not manage projects consistently and did not always use\nthe project management functionality of FIMS. Kearney also noted that FIMS did not have\nadequate capabilities to help ensure that PMs sufficiently documented key project elements, such\nas the scope, timeliness, and cost of work, as well as changes to these elements. Further,\nKearney noted that documentation maintenance standards were not consistently followed, and\nthere was no control to ensure that projects are closed in a timely manner. Without consistent\nproject management practices, NDF cannot ensure that it carries out its mission in the most\neffective and efficient manner.\n                                                  1\n                                        UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n\n         Kearney found that FIMS contained accurate and complete information on the funds\nreceived from appropriations and donations and the amounts approved for each project.\nHowever, obligations and expenses in FIMS were not always accurate, complete, or entered in a\ntimely manner. Specifically, of 12 obligations in the Department\xe2\x80\x99s Global Financial\nManagement System (GFMS) that Kearney tested, three were not recorded accurately in FIMS.\nKearney also tested 70 obligations for timeliness and identified 52 obligations that averaged 163\ndays between executing the obligation and recording it as final in FIMS. Although expenses\nwere recorded in FIMS accurately, they were not always recorded timely, and some were not\nrecorded at all. Specifically, Kearney tested 115 expense transactions in FIMS for timeliness and\nidentified 45 transactions that averaged 87 days between the date the invoice was approved and\nthe date the expense was recorded in FIMS. Of 45 expense transactions in GFMS tested for\ncompleteness, 15 transactions, with a net impact of $537,000, were not recorded in FIMS.\nKearney also noted that donated funds received from other countries were not sufficiently\nidentifiable in contractual documents, and FIMS lacked key reporting functionality, such as the\nability to produce reports as of a specific point of time in the past or covering a specific period of\ntime. Because of the data inaccuracies in FIMS and the limitations of its reporting capabilities,\nKearney concluded that FIMS currently would be unable to produce auditable financial reports.\n\nManagement Comments\n\n        In the draft of this report, OIG made 18 recommendations. Five recommendations\npertained to improving controls over contracting, specifically that NDF improve its controls over\ncontract initiation, contract modification, invoice approval, obligation monitoring, contract\ncloseout, and \xe2\x80\x9cnotwithstanding authority\xe2\x80\x9d to ensure compliance with Federal and Department\nrequirements. In addition, five recommendations pertained to developing formal controls over\nproject management and the use of FIMS to ensure that key aspects of project management are\nexecuted consistently across all projects. To the extent possible, these controls should be built\ninto FIMS. Further, eight recommendations pertained to developing a process to ensure that the\ndata in FIMS is complete, accurate, and recorded timely, and improving FIMS reporting\ncapabilities to meet end-user needs.\n\n        In its November 13, 2012, response (see Appendix D) to the draft report, ISN concurred\nwith all 18 recommendations. Based on the response, OIG considers the recommendations\nresolved, pending further action. Management\xe2\x80\x99s responses and OIG\xe2\x80\x99s replies to those responses\nare included after each recommendation.\n\n                                          Background\n        The proliferation of weapons of mass destruction, and related materials, technologies, and\nexpertise, is a preeminent challenge to U.S. national security. ISN leads the Department\xe2\x80\x99s efforts\nto prevent the spread of weapons of mass destruction, such as nuclear, chemical, and biological\nweapons and their delivery systems, through bilateral and multilateral diplomacy. ISN addresses\nproliferation threats by improving physical security and export controls, using interdiction and\nsanctions, and redirecting relevant technology and expertise. ISN has three major programs:\n\n                                              2\n                                         UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\nNuclear Affairs, Non-Nuclear and Counter-Proliferation, and Nonproliferation Programs. The\nthree programs and the specific offices within each program are shown in Table 1.\n\nTable 1. Bureau of International Security and Nonproliferation Programs and Offices\n             ISN Program                                        ISN Program Offices\n                                          Office of Multilateral Nuclear and Security Affairs\n             Nuclear Affairs              Office of Nuclear Energy, Safety and Security\n                                          Office of Regional Affairs\n                                          Office of Missile, Biological and Chemical Nonproliferation\n    Non-Nuclear and Counter-              Office of Conventional Arms Threat Reduction\n         Proliferation                    Office of Counter-Proliferation Initiatives\n                                          Biological Policy Staff\n                                          Office of Cooperative Threat Reduction\n                                          Office of Export Control Cooperation\n    Nonproliferation Programs             Nonproliferation and Disarmament Fund\n                                          Office of Weapons of Mass Destruction Terrorism\n                                          Office of Strategic Communications and Outreach\nSource: Prepared by Kearney based on information obtained from the ISN Internet Web site,\n<http://www.state.gov/t/isn/index.htm>, accessed on July 2, 2012.\n\n       NDF, one of ISN\xe2\x80\x99s nonproliferation offices, was established to provide a means for the\nU.S. Government to respond rapidly to nonproliferation and disarmament opportunities,\ncircumstances, or conditions that are unanticipated or unusually difficult but of high priority.\nNDF\xe2\x80\x99s role is to supplement U.S. diplomatic efforts to promote bilateral and multilateral\nnonproliferation and disarmament activities through the development, execution, and\nimplementation of carefully selected projects. When an office within the Department or other\nU.S. Government agency, such as the U.S. Department of Energy, identifies a nonproliferation\nopportunity that was not anticipated or budgeted, the office or agency submits a project proposal\nto NDF. NDF funds and executes the approved projects in coordination with these other offices\nand agencies.\n\n         In fulfilling its responsibilities, NDF\n\n         \xef\x82\xb7     Negotiates with foreign governments, foreign contractors, U.S. Government agencies,\n               and U.S. contractors on project development and implementation issues.\n         \xef\x82\xb7     Works to secure ongoing funding for NDF nonproliferation activities.\n         \xef\x82\xb7     Determines the resource requirements necessary to implement projects and provides\n               supervision accordingly.\n         \xef\x82\xb7     Manages the congressional appropriation for NDF.\n         \xef\x82\xb7     Obligates, deobligates, or reprograms NDF funds and tracks NDF expenses and\n               interagency money transfers.\n         \xef\x82\xb7     Tracks program recommendations, decisions, and congressional inquiries and\n               notifications.\n\n                                                       3\n                                                  UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n       \xef\x82\xb7\t   Tracks program progress to measure achievements and reports results to ISN\n            leadership and the Under Secretary of State for Arms Control and International\n            Security.\n\n        NDF is a small organization comprised of Department personnel and contractors,\nincluding personal services contractors (PSC). NDF staff includes a Director, a Chief of\nOperations, a Comptroller, Finance Officers, PMs, policy officers, a contract advisor, and project\nsupport specialists. A select group of PMs, who negotiate, manage, and implement NDF\xe2\x80\x99s\nprojects, are Department personnel, but the majority of PMs are PSCs. Most PMs are former\nsenior officials from military and diplomatic missions with a significant amount of experience\nand knowledge in nonproliferation activities.\n\nNDF Funding\n\n        NDF is funded each year by the Nonproliferation, Anti-terrorism, Demining and Related\nPrograms appropriation. Since its creation in 1994, NDF has received $513 million in\nappropriated funds. NDF received $30 million in appropriated funds during FY 2012. NDF\nfunds are available until they are expended to permit maximum flexibility in project\nimplementation. Despite the indefinite availability of the appropriated funds, the funds must be\naligned to a project before they can be spent. The Under Secretary for Arms Control and\nInternational Security must approve all projects. Furthermore, NDF must formally notify\nCongress of the projects it plans to implement through a congressional notification (CN). Once\nCongress has been notified of the proposed project, a 15-day timeline is initiated during which\nCongress has the opportunity to reject the proposal. If the 15-day limit elapses without rejection,\nthe proposal is considered to be approved by Congress, and NDF PMs may begin to implement\nand execute the project. NDF cannot exceed the amount of funding included in the CN for each\nproject.\n\n       NDF has also received donated funds from other countries. In 2011 and 2012, four donor\ncountries provided $5.9 million in funds to support NDF\xe2\x80\x99s ongoing project in Libya. NDF has\nentered into Memorandums of Understanding (MOU) with the donor countries. The MOUs\nspecify the authorized uses of the donated funds and the reporting and tracking requirements.\n\nContracting Process\n\n         NDF relies on contractors to implement the projects it undertakes. In some instances, the\ncontracts are with a host-country government office, such as the Ministry of Defense, and in\nother instances, the contracts are with third-party vendors. The contracts that Kearney reviewed\nfor this audit ranged in value from as low as $35,000 to as much as $17 million.\n\n       Generally, the contracting process entails contract initiation, contract modification,\ninvoice approval, obligation monitoring, and contract closeout. The contract initiation,\nmodification, and closeout processes are commenced by NDF and completed by the Bureau of\nAdministration, Office of Logistics Management, Office of Acquisitions Management\n(A/LM/AQM). NDF\xe2\x80\x99s contract advisor assists PMs with the contracting process by providing\n\n                                             4\n                                        UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\ninformation on contracting requirements and ensuring that documents are properly completed\nbefore submission to A/LM/AQM.\n\n        PMs serve as the contracting officer\xe2\x80\x99s representative (COR) for the contracts related to\ntheir projects. As CORs, the PMs initiate the contracting process by identifying the specific\nwork to be performed and preparing a procurement request package, including the statement of\nwork. In preparing the package, PMs must take into consideration the preferences and demands\nof the host country, which may affect the award and execution of the contract.\n\n         As work is performed under the contract, PMs must verify the receipt of goods or\nservices for contractor-submitted invoices. PMs often travel to project sites, affording them the\nability to personally verify the receipt of goods or services. For work performed or goods\nreceived while PMs are not on-site, the PMs obtain third-party verification from another U.S.\nGovernment representative, such as a U.S. Department of Energy technical monitor. After a PM\nhas certified that the goods or services were received, the invoice is processed in the same\nmanner as all other Department invoices at the Bureau of the Comptroller and Global Financial\nServices (CGFS) in Charleston.\n                                                                                                          1\n        Throughout the contract life cycle, PMs are responsible for ensuring that the ULOs for\ntheir contracts are valid; that is, the balances on the obligations are still needed. When PMs\nidentify a ULO that is no longer needed, the PM must notify the Finance Officer that the ULO\nmay be deobligated. NDF also performs informal periodic reviews of its ULOs and participates\nin Department-wide quarterly ULO reviews coordinated by CGFS. At the time of this audit,\nNDF had 98 ULOs with an available balance of $69.8 million.\n\n        When work on the contract has been completed, NDF initiates the contract closeout\nprocess. In order to close out a contract, PMs should create a closeout package stating that all\nwork has been completed and coordinate with NDF\xe2\x80\x99s Finance Officer to ensure that final\ninvoices have been received, paid, and reconciled. A closeout checklist, consistent with the\nDepartment of State Acquisition Regulation, should be completed and submitted to A/LM/AQM\nso that the contract can be closed and any remaining funds deobligated.\n\n       NDF funding has been provided \xe2\x80\x9cnotwithstanding any other provision of law.\xe2\x80\x9d2 This\nmeans that, with proper authorizations, NDF can override any portion of any law or regulation.\nFor example, despite Federal Acquisition Regulation requirements that Government offices \xe2\x80\x9cBuy\nAmerica,\xe2\x80\x9d NDF is permitted to obtain goods or services from foreign contractors. NDF may also\naward contracts without complying with Federal Acquisition Regulation requirements relating to\ncompetition. \xe2\x80\x9cNotwithstanding authority\xe2\x80\x9d is an extraordinary authority granted to NDF by\nCongress for use in special circumstances. Therefore, this authority should be invoked only if\nnecessary.\n\n1\n  The U.S. Standard General Ledger defines a ULO as \xe2\x80\x9cthe amount of goods and/or services ordered that have not\nbeen\xe2\x80\xa6 received and for which amounts have not been prepaid or advanced.\xe2\x80\x9d\n2\n  Consolidated Appropriations Act, 2012, Pub. L. No. 112-74, 125 Stat. 786 (2011), and prior year appropriation\nlegislation.\n\n                                                   5\n                                              UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\n\n\nProject Management Process\n\n        Each NDF project has a specific objective, such as facilitating the safe removal of the\nnuclear infrastructure in Libya. NDF performs a number of tasks to accomplish each project\xe2\x80\x99s\nobjective including obtaining the host county\xe2\x80\x99s permission to perform the work and procuring\ngoods and services to support project execution. NDF may enter into one or multiple contracts\nor MOUs to accomplish each task within a project. Since its inception in 1994, NDF has\ncompleted 146 projects. At the time of this audit, there were 46 active projects, funded for\napproximately $323 million, and 43 projects in the closeout phase, funded for approximately\n$105 million. Of 46 active projects, 34 were country-specific projects and 12 were for\nadministrative tasks, such as FIMS development and maintenance. Examples of notable NDF\ncountry-specific projects are provided in Table 2.\n\nTable 2. Notable Nonproliferation and Disarmament Fund Projects by Activity\n      Nonproliferation\n                                                                        Project\n         Activity\n                                 Removed more than 100 pounds of at-risk highly enriched uranium from\n                                 the Vinca Institute in Belgrade, Serbia, to secure storage in Russia,\n           Nuclear               regulated by the International Atomic Energy Agency\n                                 Facilitated the safe removal of nuclear infrastructure from Libya to secure\n                                 facilities in the United States\n          Biological             Destroyed high-capacity fermenters in Kazakhstan\n                                 Eliminated chemical weapons production equipment and facilities and\n          Chemical\n                                 secured chemical agents in the Balkans\n                                 Destroyed nearly 40,000 munitions (including fuses, detonators, sea\n        Conventional\n                                 mines, air bombs, and torpedo bodies) in the Republic of Albania\n                                 Eliminated Soviet-era short-range, tactical ballistic surface-to-surface\n                                 Missile Technology Control Regime Category I missiles in Bulgaria,\n       Ballistic Missile         Slovakia, Poland, Hungary, and Libya\n                                 Eliminated SCUD missiles in Ukraine\nSource: Prepared by Kearney based on information obtained from the NDF Internet Web site,\n<http://www.state.gov/t/isn/ndf/index.htm>, accessed on July 2, 2012.\n\n\n        The project management process includes planning, executing, monitoring, and closing\nout projects. Project planning occurs before the project is approved and is typically performed\nby the Department office or other U.S. Government agency proposing the project with NDF\xe2\x80\x99s\ninput and advice. The Director and Chief of Operations assign projects to PMs based upon their\nexpertise.\n\n        PMs monitor their projects by tracking the status of the work and funding primarily\nthrough status reports. PMs receive status reports via e-mails, cables, or telephone from the\ncontractor or the embassy in the host country. These reports are received on a daily, monthly, or\nquarterly basis depending on the project and contract terms. PMs also perform site visits to\nensure that project objectives are being met. If PMs encounter uncontrollable environmental\n\n                                                      6\n                                                 UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\nissues during project execution, such as civil unrest, PMs coordinate with the Director, Chief of\nOperations, and, if necessary, the Under Secretary for Arms Control and International Security to\ndetermine the potential next steps for the project.\n\n        After project objectives have been met, PMs initiate project closeout. All contracts\nrelated to the project must be closed to complete the project closeout process. If unspent funds\nremain for the project, the funds are available for use on future projects.\n\nNDF\xe2\x80\x99s Financial and Information Management System\n\n        According to NDF management, the Department\xe2\x80\x99s official financial system of record,\nGFMS, did not provide the information necessary to track funds at the project level and manage\nprojects effectively. Additionally, NDF staff could not access information in GFMS from\nremote locations. To address these needs, NDF developed and implemented FIMS, which is a\ncustomized, internal, cloud-based system, built on the Salesforce3 platform and hosted on\nSalesforce servers. NDF operates FIMS on a dedicated Internet network connection.\n\n       FIMS\xe2\x80\x99 primary purpose is to ensure that amounts expended for a project do not exceed\nthe amount in the CN. To track funds, NDF records in FIMS the funds received through\nappropriations and the amount approved by Congress, obligated, and spent for each project.\nFIMS is only used by NDF and does not interface with GFMS or other Department financial\nmanagement systems. Therefore, NDF must manually record financial data in FIMS and\nperform periodic reconciliations to ensure that the information in FIMS is consistent with the\ninformation in GFMS for budget execution and financial reporting purposes. Recently, NDF\nenhanced FIMS\xe2\x80\x99 capabilities by adding project management features, improved reporting, and\ndocument storage.\n\n                                                  Objectives\n        The objectives of this audit were to\n\n        \xef\x82\xb7    Assess the sufficiency of NDF controls over the contracting process.\n        \xef\x82\xb7    Assess the sufficiency of NDF controls over the project management process.\n        \xef\x82\xb7    Determine whether the integrity of the data in FIMS is sufficient to prepare\n             auditable financial reports for external users.\n\n\n\n\n3\n Salesforce.com, Inc., is a global enterprise software company. Salesforce has been certified by the General\nServices Administration, Federal Risk and Authorization Management Program.\n\n                                                   7\n                                              UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n                                        Audit Results\n\nFinding A. NDF Contracting Process Controls Are in Place but Need\nImprovement\n       NDF\xe2\x80\x99s controls over the contracting process were sufficient for some contract\nrequirements but needed improvement to ensure compliance with all Federal and Department\nrequirements. To test the controls over the contracting process, Kearney reviewed\ndocumentation for the contracts related to 15 judgmentally selected NDF projects. (Kearney\xe2\x80\x99s\nsampling methodology is detailed in Appendix A.)\n\n        Kearney found that NDF had established and implemented effectively designed controls\nover its contracting process, including contract initiation, contract modification, invoice\napproval, and contract closeout. However, some established controls for contract initiation,\ncontract modification, and invoice approval were not operating effectively. Although Kearney\nidentified deficiencies in these controls, Kearney noted that, in some cases, the number of\ndeficiencies decreased in FYs 2011 and 2012 from prior years.\n\n       Although NDF had some controls in place, Kearney identified controls that should have\nbeen in place but were missing. Specifically, NDF did not have adequate controls to monitor its\nULOs, close out its contracts timely, and document the projects for which NDF used\nnotwithstanding authority.\n\n         The control issues identified occurred primarily because NDF staff did not always follow\nNDF\xe2\x80\x99s internal processes or procedures, and the control environment had not been fully\ndeveloped. The lack of sufficient control over contracting could result in delays in contract\ninitiation and modification, improper payments to contractors, invalid obligations, insufficient\nfunding, inappropriate use of NDF\xe2\x80\x99s notwithstanding authority, and delays in project\nimplementation and execution.\n\nNDF Had Established Contracting Process Controls\n\n        NDF had established properly designed controls for contract initiation and modification,\ninvoice approval, and contract closeout. In an effort to streamline the contracting process,\nA/LM/AQM and NDF have established an MOU to document the contract initiation,\nmodification, and closeout processes. Based on this MOU, NDF developed a COR Handbook\nthat documents the required process for executing a contract and issuing a contract modification.\nThe NDF process also includes obtaining the NDF Director\xe2\x80\x99s approval for all contract actions.\n\n       NDF had also established controls to ensure that goods and services are received before\nan invoice is paid. PMs must certify the receipt of goods and services, and NDF\xe2\x80\x99s Comptroller\nmust approve invoices and travel vouchers.\n\n       Additionally, NDF had established controls for contract closeouts. PMs must obtain a\nformal release letter from the vendor to ensure that no future payments are required; complete a\n\n                                            8\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nCOR Completion Certificate certifying to A/LM/AQM that all work has been completed and the\nfinal payment has been made; and complete a COR Closeout Checklist certifying that all\nrequired closed-out items were accomplished in the appropriate order outlined in the MOU with\nA/LM/AQM.\n\nControl Activities for Contract Initiation, Contract Modification, and Invoice Approval\nWere Not Operating Effectively\n\n       Although NDF had established some controls over the contracting process, Kearney\nfound that the controls related to contract initiation and modification and invoice approval were\nnot being executed effectively or as designed. (A list of the key controls tested and Kearney\xe2\x80\x99s\nconclusions on their operating effectiveness is provided in Appendix B.)\n\n          Contract Initiation and Modification\n\n        Kearney found that NDF did not always complete all required documents or obtain the\nnecessary approvals prior to initiating a contract. NDF does not have contract authority. In\norder to execute a contract, NDF submits a procurement request to A/LM/AQM, and a\ncontracting officer initiates and executes a contract on NDF\xe2\x80\x99s behalf. NDF\xe2\x80\x99s COR Handbook, as\nwell as the Department\xe2\x80\x99s Foreign Affairs Handbook,4 requires that each procurement request\nsubmitted to A/LM/AQM include, among other things, the following eight items, if applicable:\n\n          \xef\x82\xb7   Specifications/Performance Work Statement/Changes to Performance Work\n              Statement for Modifications.\n          \xef\x82\xb7   Inherently Governmental Function Determination.\n          \xef\x82\xb7   Independent Government Cost Estimate.\n          \xef\x82\xb7   Funding/Requisition document.\n          \xef\x82\xb7   COR nomination.\n          \xef\x82\xb7   Technical Evaluation Criteria and Plan.\n          \xef\x82\xb7   Justification for Other Than Full and Open Competition.\n          \xef\x82\xb7   Recommended source list.\n\nNDF\xe2\x80\x99s COR Handbook also requires that all procurement request packages be approved by the\nNDF Director.\n\n       Kearney tested a sample of 28 contracts for contract initiation and preaward controls.\nSpecifically, Kearney reviewed the procurement request packages for the 28 contracts to\ndetermine whether the packages contained the documents listed above and the required\napprovals. Of 28 contracts tested, Kearney found that the procurement request package for 13\ncontracts was not properly prepared prior to the submission of the procurement request to\nA/LM/AQM. Specifically, each of these 13 contract initiations lacked one or more of the\nfollowing documents:\n\n\n4\n    14 FAH-2 H-332.2, \xe2\x80\x9cAttachments.\xe2\x80\x9d\n\n                                             9\n                                        UNCLASSIFIED\n\x0c                                                    UNCLASSIFIED\n\n\n\n         \xef\x82\xb7    Inherently Governmental Function Determination. \n\n         \xef\x82\xb7    COR nomination. \n\n         \xef\x82\xb7    Technical Evaluation Criteria and Plan. \n\n         \xef\x82\xb7    Justification for Other Than Full and Open Competition.\n\n         \xef\x82\xb7    Recommended source list. \n\n\nIn addition, Kearney identified four instances in which the procurement request was not\napproved by the NDF Director.\n\n       Kearney noted that the number of instances in which the required documentation was not\nprepared decreased recently (FYs 2011\xe2\x80\x932012), indicating that NDF had improved its\nperformance in this area. Table 3 provides the results of the contract initiation tests by period.\n\nTable 3. Contract Initiation Test Results\n                                                           Procurement Request\n                                                                                                  Procurement Request\n                                                             Package Lacked\n                            Total Tested                                                          Not Approved by NDF\n                                                                Supporting\n     Fiscal                                                                                             Director\n                                                              Documentation\n     Years\n                    Number               Dollar           Number        Dollar                   Number         Dollar\n                       of                 Value              of         Value                       of           Value\n                    Contracts         (in millions)       Contracts (in millions)                Contracts   (in millions)\n  2007\xe2\x80\x932010                16                  $9.9               9          $8.8                        2            $0.6\n  2011\xe2\x80\x932012                    12                23.7                 4               17.8              2             0.6\n         Total                 28              $33.6                 13              $26.6              4            $1.2\nSource: Prepared by Kearney based on the results of its tests of contract initiation controls.\n\n\n       Additionally, Kearney tested the controls over contract modifications. According to the\nCOR Handbook, the terms of the modification and documentation supporting the need for the\nmodification are required for submission to A/LM/AQM. NDF\xe2\x80\x99s internal process requires that\nthe Director approve contract modifications prior to submission to A/LM/AQM. Based on a\nsample of 17 contract modifications valued at $4.5 million, Kearney determined that\ndocumentation supporting the need for the modification was prepared for all modifications.\nHowever, Kearney identified two no-cost modifications that were not approved by the Director\nand one modification totaling $158,000 that was not approved by either the PM or the Director.\n\n       NDF controls over contract initiation and modification were not effective because the\nPMs did not consistently follow the requirements in the COR Handbook, and NDF did not have\na process in place to ensure compliance. To help ensure compliance with contract initiation and\nmodification requirements, NDF could develop internal checklists listing all required documents\nand approvals. The checklists would then be completed and included with each procurement\nrequest package and modification request before the requests are approved by the NDF Director.\n\n       If all required documents are not submitted with contract initiation and modification\nrequests, A/LM/AQM must either prepare the missing documents without NDF\xe2\x80\x99s input or\ncontact NDF to obtain the missing documents. An A/LM/AQM official stated that this situation\n                                               10\n                                       UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n\ndelays issuing contracts and modifications, which may prevent NDF from initiating projects in a\ntimely manner. In addition, if requests are submitted without proper approvals, the requests may\nbe incomplete, unnecessary, or inaccurate.\n\n       Recommendation 1. OIG recommends that the Nonproliferation and Disarmament Fund\n       develop and implement a standardized procedure to help ensure compliance with contract\n       initiation and modification documentation and approval requirements.\n\n       Management Response: NDF concurred with this recommendation, stating that it\n       would work to \xe2\x80\x9cprovide and organize an appropriate electronic storage location for\n       samples of the various documents used in contract initiation and modification.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has\n       implemented a standardized procedure for contract initiation and modification\n       documentation and approval.\n\n       Invoice Review Process\n\n        Kearney found that NDF often did not effectively execute its invoice approval controls.\nKearney tested a sample of expense transactions for invoice approvals, including the PM\ncertification of the receipt of goods or services and the Comptroller certification of funds\navailability and invoice approval. To determine whether the PM was properly certifying the\nreceipt of goods or services, Kearney obtained the PM\xe2\x80\x99s certification submitted to the Finance\nOfficer prior to payment. As shown in Table 4, Kearney identified 36 instances, totaling $1.7\nmillion, where the PM did not properly certify the receipt of goods or services.\n\n            Table 4. Certification of Goods or Services Test Results\n                                                                       Lacked PM Certification of\n                                        Total Tested*\n                 Fiscal                                                    Goods or Services\n                 Years\n                                 Number           Dollar Value          Number            Dollar Value\n                                of Invoices       (in millions)        of Invoices        (in millions)\n              2005\xe2\x80\x932010                 114               $26.3                 27                  $1.6\n              2011\xe2\x80\x932012                    29                   6.7                 9                    0.1\n                     Total                143                $33.0                36                   $1.7\n            Source: Prepared by Kearney based on the results of its tests of invoice controls.\n\n            *The planned sample size for testing was 159 items, totaling $51.9 million. However, the actual\n\n            sample size was less because the controls tested did not apply to every transaction in the planned\n\n            sample.\n\n\n\n        PMs certify receipt of goods or services based on their personal verification of receipt or\nthird-party verification. When PMs are on-site, third-party verification is not required. Based on\na review of invoice supporting documentation, travel vouchers, and trip debrief reports, Kearney\ndetermined whether third-party verification was necessary. For the 93 invoices that required\nthird-party verification, Kearney reviewed documentation for evidence that the PM received the\n                                                11\n                                        UNCLASSIFIED\n\x0c                                                   UNCLASSIFIED\n\nthird-party verification prior to approving the invoice. Kearney identified 69 instances, totaling\n$26.6 million, in which the PMs did not have documentation showing that they obtained third-\nparty verification prior to certifying the invoice for payment, as shown in Table 5.\n\n              Table 5. Third Party Verification Test Results\n                                                                          Lacked Evidence of Third\n                                          Total Tested*\n                   Fiscal                                                    Party Verification\n                   Years\n                                  Number            Dollar Value          Number            Dollar Value\n                                 of Invoices        (in millions)        of Invoices        (in millions)\n                2005\xe2\x80\x932010                 87                $25.4                 65                 $24.5\n                2011\xe2\x80\x932012                      6                 6.5                   4                   2.1\n                       Total                 93               $31.9                  69                $26.6\n              Source: Prepared by Kearney based on the results of its tests of invoice controls.\n\n              *The planned sample size for testing was 159 items, totaling $51.9 million. However, the actual\n\n              sample size was less because the controls tested did not apply to every transaction in the planned\n\n              sample.\n\n\nKearney found 23 invoices, one of which was recent, that had exceptions for both categories of\ncontrol activities tested. That is, the PM did not certify that the goods or services were received,\nand there was no documentation of third-party verification.\n\n        Kearney noted that NDF had improved its performance for the two control activities\ntested. Kearney\xe2\x80\x99s analysis of the results of its tests indicated that the deficiencies for the two\ninternal control activities tested decreased from a 46 percent error rate for FYs 2005\xe2\x80\x932010 to a\n37 percent error rate for FYs 2011\xe2\x80\x932012, the most recent period.\n\n        To determine whether NDF\xe2\x80\x99s Comptroller was checking funds availability and approving\nthe invoice, Kearney obtained documentation to support the Comptroller\xe2\x80\x99s approval of 139\ninvoices, totaling approximately $52 million.5 Kearney identified only four invoices, totaling\n$1,600, for which the Comptroller did not approve the invoice or did not provide documentation\nof the approval. None of these exceptions were from invoices approved during FYs 2011\xe2\x80\x932012.\n\n       The PM\xe2\x80\x99s certification of the receipt of goods and services demonstrates execution of\nrelevant COR responsibilities. The Foreign Affairs Handbook states that \xe2\x80\x9cthe COR should\nreview [invoices] to determine the validity of costs claimed and relate total expenditures to the\nphysical progress of the contract.\xe2\x80\x9d6 In addition, the Foreign Affairs Manual requires approval of\ninvoices to ensure that \xe2\x80\x9call processed payments are supported by valid obligations.\xe2\x80\x9d7\n\n5\n  The planned sample size for testing was 159 transactions, totaling $51.9 million. However, the actual sample size\nwas less because the control tested did not apply to every transaction in the planned sample. Specifically, the\ninvoices selected included refunds, for which the comptroller\xe2\x80\x99s approval is not necessary. The 20 transactions for\nwhich the procedures were not applicable had a net impact to the amount tested of $141,000.\n6\n  14 FAH-2 H-522.4, \xe2\x80\x9cReviewing Vouchers.\xe2\x80\x9d\n7\n  4 FAM 223.1-5, \xe2\x80\x9cPayment of Obligations.\xe2\x80\x9d\n\n                                                        12\n                                                   UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n        The control deficiencies identified occurred primarily because the third-party verification\nwas often received through e-mail or in another informal manner and was not maintained as\nsupporting documentation for the invoice. Additionally, PMs did not document whether they\npersonally certified or received third-party verification, which made it difficult to determine\nwhether third-party verification was necessary. If third-party verification was received, the\nformat of this verification should be noted so that its existence can be validated. NDF should\nconsider building the certification process into FIMS. Without proper certification by an\nindividual who has direct knowledge of the goods or services, payments may be made for goods\nor services that NDF does not receive.\n\n       Recommendation 2. OIG recommends that the Nonproliferation and Disarmament Fund\n       improve the invoice approval process to ensure that project managers receive and\n       maintain the appropriate documentation to support their certification of the receipt of\n       goods or services.\n\n       Management Response: NDF concurred with this recommendation, stating that it\n       would review the process used \xe2\x80\x9cto certify and establish standards for document\n       retention.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has improved its\n       process for receiving and documenting the certification of the receipt of goods or\n       services.\n\nAdditional Controls Are Necessary for an Effective Control Environment\n\n       Kearney identified activities for which controls should have been in place but were\nmissing. Specifically, NDF did not have properly designed controls related to ULO monitoring\nand no controls to ensure the timeliness of contract closeouts or to document the projects for\nwhich NDF used notwithstanding authority.\n\n       Unliquidated Obligations\n\n        NDF did not have an effectively designed control to ensure that its ULOs were\nproactively monitored for validity. Department offices and bureaus should have a two-step ULO\nmonitoring process\xe2\x80\x94a regular internal review of all open obligations and participation in the\nDepartment-wide ULO review. According to the NDF Comptroller, NDF has an informal,\nundocumented process to review ULOs on a periodic basis. Specifically, the Finance Officer\nruns a status of funds report in GFMS and judgmentally identifies obligations that appear to be\ninvalid. The Finance Officer coordinates with the corresponding PMs to ensure the validity of\nthose obligations. This internal process is performed on an ad hoc basis. Also, on a quarterly\nbasis, CGFS sends a report to NDF\xe2\x80\x99s Comptroller identifying ULOs that NDF should review for\nvalidity. NDF\xe2\x80\x99s Finance Officer investigates the ULOs identified by CGFS by following up with\nPMs to verify that the unliquidated balance is still needed. If ULOs are determined to be invalid,\nthe Finance Officer deobligates the ULO in both GFMS and FIMS.\n\n                                             13\n                                        UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n         Kearney reviewed the 98 NDF ULOs in the Department\xe2\x80\x99s March 31, 2012, ULO\ndatabase from GFMS\xe2\x80\x99s Data Warehouse and identified 46 ULOs, amounting to $2.7 million, that\nhad no expenditures since July 2011. These 46 ULOs would have been subject to both NDF\xe2\x80\x99s\ninternal review process and the CGFS\xe2\x80\x99s ULO review. Kearney reviewed activity on these ULOs\nsubsequent to March 31, 2012, to determine whether NDF\xe2\x80\x99s internal process or the CGFS\xe2\x80\x99 ULO\nreview identified and deobligated invalid ULOs. Kearney noted that 24 of 46 obligations had\nbeen deobligated. The remaining 22 obligations, amounting to $1.5 million, remained open\nthrough June 22, 2012. Kearney inquired with PMs about these obligations and was informed\nthat all 22 were invalid. Kearney concluded that NDF\xe2\x80\x99s informal process was not properly\ndesigned.\n\n        Federal appropriation law requires that obligations be recorded \xe2\x80\x9conly when supported by\ndocumentary evidence.\xe2\x80\x9d8 In addition, the Foreign Affairs Manual states that \xe2\x80\x9cperiodic reviews\nare to be performed not less frequently than monthly to ensure that unliquidated obligation\nbalances and disbursements are valid.\xe2\x80\x9d9\n\n       NDF had not developed and implemented a formal, periodic internal ULO review\nprocess. In addition, as part of the Department-wide ULO second quarter analysis, CGFS\nprovided a list of ULOs to NDF for review, which NDF received on April 30, 2012. As of June\n22, 2012, NDF had not yet completed its research and concluded on the validity of a number of\nthe ULOs on the CGFS list.\n\n        Because NDF did not have effective controls over ULO monitoring, NDF\xe2\x80\x99s ULO balance\nwas overstated by $1.5 million as of March 31, 2012. Further, NDF\xe2\x80\x99s funds are available for an\nindefinite period. If the unneeded obligations were deobligated, the funds would be available for\nnew obligations immediately. By keeping the funds committed to invalid obligations, NDF\nlimits the funding available to accomplish other project goals.\n\n          Recommendation 3. OIG recommends that the Nonproliferation and Disarmament Fund\n          develop an internal process to review unliquidated obligations on a periodic basis and to\n          validate the quarterly list of unliquidated obligations provided by the Bureau of the\n          Comptroller and Global Financial Services in a timely manner.\n\n          Management Response: NDF concurred with this recommendation, stating that it\n          would enhance FIMS in order to produce a report of ULOs \xe2\x80\x9cgrouped by NDF project\xe2\x80\x9d\n          that will be \xe2\x80\x9cautomatically run each month\xe2\x80\x9d and be \xe2\x80\x9csent to NDF Finance users and the\n          appropriate NDF project managers.\xe2\x80\x9d In addition, the NDF Comptroller will \xe2\x80\x9cprovide a\n          policy memo describing the internal NDF ULO review process.\xe2\x80\x9d\n\n          OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n          closed when OIG reviews and accepts documentation showing that NDF has\n          implemented a standardized process for periodically reviewing ULOs.\n\n8\n    31 U.S.C. \xc2\xa7 1501, \xe2\x80\x9cDocumentary Evidence Requirement for Government Obligations.\xe2\x80\x9d\n9\n    4 FAM 087.2, \xe2\x80\x9cObligation Validity Criteria.\xe2\x80\x9d\n\n                                                  14\n                                             UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n\n\n           Contract Closeout\n\n        NDF did not have a control in place to ensure that contracts were closed out in a timely\nmanner. As there were no controls in place, Kearney did not perform testing over the timeliness\nof closeouts. However, while performing other audit procedures, Kearney noted that contract\ncloseouts often occurred years after the work was completed. For example, the final invoice for\none contract was paid on July 20, 2009. However, the contract was not closed until August 29,\n2011, approximately 2 years later.\n\n       The Department of State Acquisition Regulation states that \xe2\x80\x9c[t]he contract closeout\nprocess shall begin as soon as possible after the contract is physically completed.\xe2\x80\x9d Physical\ncompletion occurs when \xe2\x80\x9cthe contractor has delivered the required supplies and the Government\nhas inspected and accepted them, or the contract has performed and the Government has\naccepted all services required by the contract, and the base period and any option periods\nexercised have expired.\xe2\x80\x9d10\n\n        NDF had developed and implemented a contract closeout process and included specific\nsteps required to close out a contract in its COR Handbook. However, these steps do not include\na required timeframe in which the closeout must be initiated or completed, and NDF\xe2\x80\x99s process\nhistorically was to close contracts during the project closeout process. Project closeout can be\nmore involved and time consuming than contract closeout because the data in FIMS for the\nentire project must be reconciled to GFMS, a project accomplishment report must be prepared,\nand there may be more than one contract on the project. NDF\xe2\x80\x99s funds are available for an\nindefinite period. Delaying the closeout of all contracts related to a project until the entire\nproject is closed may leave unused funds on completed contracts. If the contracts were closed\nout in a timely manner, these unused contract funds could be returned to the project level to fund\nadditional contracts or obligations to accomplish the project mission.\n\n           Recommendation 4. OIG recommends that the Nonproliferation and Disarmament Fund\n           develop and implement a formal process to close out contracts in a timely manner.\n\n           Management Response: NDF concurred with this recommendation, stating that it\n           would work to \xe2\x80\x9cprovide and organize an appropriate electronic storage location for\n           samples of the various contract closeout documents.\xe2\x80\x9d In addition, NDF stated that it\n           would \xe2\x80\x9cdevelop standard timeframes for NDF CORs to present contract closeout\n           documentation packages.\xe2\x80\x9d\n\n           OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n           closed when OIG reviews and accepts documentation showing that NDF has\n           implemented a process to close out contracts timely.\n\n\n\n\n10\n     Department of State Acquisition Regulation, subpar. 604.804-70, \xe2\x80\x9cContract closeout procedures.\xe2\x80\x9d\n\n                                                     15\n                                                UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n       Notwithstanding Authority\n\n         NDF did not document when notwithstanding authority was used. Kearney requested a\nlist of projects where notwithstanding authority was used and the details on the specific laws and\nregulations that were waived for each project. NDF was unable to provide this documentation\nbecause it was not maintained by NDF or by any other Department office. During review of\nCNs for other audit procedures, Kearney observed that, although language was included in some\nCNs indicating that the notwithstanding authority would be used, the existence of this language\ndid not necessarily indicate that the authority was used. Further, it is not required that this\nlanguage be included in the CN if the notwithstanding authority is only used to override portions\nof the Federal Acquisition Regulation.\n\n       The Government Accountability Office\xe2\x80\x99s Standards for Internal Control in the Federal\nGovernment states that \xe2\x80\x9csignificant events need to be clearly documented, and the\ndocumentation should be readily available for examination.\xe2\x80\x9d According to NDF management,\nNDF can exercise notwithstanding authority by obtaining formal approvals. PMs must\ncoordinate with the Office of the Legal Adviser and A/LM/AQM to ensure that the appropriate\napprovals are obtained.\n\n       NDF did not maintain a list of projects for which it used the notwithstanding authority\nbecause NDF is not directly involved in the process of identifying instances where the\nnotwithstanding authority is needed. Instead, these determinations have been made by\nA/LM/AQM and the Office of the Legal Adviser.\n\n        Without documentation of each use of the notwithstanding authority, Kearney could not\nverify that the appropriate approvals for using the authority were obtained. In addition, NDF\ncould not ensure or provide verification that the authority was properly invoked.\n\n       Recommendation 5. OIG recommends that the Nonproliferation and Disarmament Fund\n       develop a process to formally document the projects for which the \xe2\x80\x9cnotwithstanding\n       authority\xe2\x80\x9d is used, including when it is invoked to override portions of the Federal\n       Acquisition Regulation.\n\n       Management Response: NDF concurred with this recommendation but stated that it\n       \xe2\x80\x9calready documents all requests\xe2\x80\x9d to use notwithstanding authority, which are \xe2\x80\x9ccleared\xe2\x80\x9d\n       with the Office of the Legal Adviser.\n\n       OIG Reply: OIG considers the recommendation resolved. Although NDF had obtained\n       clearance from the Office of the Legal Adviser to use the authority, this authority was\n       sometimes granted for projects that did not actually take advantage of the waiver. The\n       recommendation can be closed when OIG reviews and accepts documentation showing\n       that NDF has developed a process to formally document the projects for which\n       notwithstanding authority is used.\n\n\n\n                                            16\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\nFinding B. Project Management Controls Need Improvement\n       Although Kearney found that NDF had an experienced and successful project\nmanagement team, project management controls needed to be improved. Specifically, Kearney\nfound that PMs did not manage projects consistently, and FIMS project management capabilities\nfor documenting project issues and other project details were not used effectively. Kearney also\nnoted that FIMS did not yet have full project management capabilities to assist PMs in\ndocumenting and monitoring key project elements, such as scope, schedule, cost, quality, and\nrisk. Additionally, project management documentation was not readily accessible and often only\nmaintained in e-mails that could be misfiled or deleted. Further, Kearney noted that NDF did not\nhave a control to ensure that projects are closed in a timely manner.\n\n       Overall, Kearney found that these issues existed because there were no formal controls\nover the NDF project management process. Without an effective control environment, NDF\nmanagement cannot ensure that it carries out its mission in the most effective and efficient way,\nand management has limited oversight capability. In addition, project management activities\nperformed outside of FIMS may not be performed, and management may not have the\ndocumentation necessary to support project management decisions. Further, funds that could be\nused for other purposes may remain on completed NDF projects.\n\nProject Management Team is Experienced and Knowledgeable\n\n        During its communications with PMs and review of documentation, Kearney observed\nthat PMs are knowledgeable and experienced in planning, monitoring, and executing\nnonproliferation projects. According to NDF management, PMs are selected based on their\nfamiliarity with nonproliferation efforts and diplomatic negotiations, and management assigns\nprojects to the PMs with the expertise required for the specific projects. The PMs\xe2\x80\x99 knowledge,\nexperience, and negotiation skills form the foundation that enables NDF to successfully respond\nto urgent nonproliferation needs around the world. During this audit, PMs demonstrated an in-\ndepth knowledge of the current status of their projects, and they were able to discuss key project\nelements, such as the scope of work, in detail. Further, Kearney saw evidence that when PMs\nencountered project issues, they promptly addressed the issues in order to continue to execute the\nproject. For example, NDF encountered several challenges and issues throughout one project,\nand the PM and NDF management resolved these issues without jeopardizing the project\nmission.\n\nProject Management Practices Were Inconsistent\n\n        Although NDF has successfully completed a number of critical nonproliferation projects,\nKearney noted that project management practices were not consistent across NDF. In 2010,\nNDF developed an NDF Project Management Guide to provide PMs with the resources and tools\nneeded to manage project planning, implementation, and closeout. The guide includes, among\nother things, a planning checklist, a status report template, a deliverables template, and a closeout\nchecklist. Based upon its review of 15 selected projects, Kearney noted that projects were\nmanaged inconsistently, and project management activities for many of the projects were not\nperformed in compliance with the guide. For example, the NDF Project Managers Planning\n                                                  17\n                                          UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nWorksheet included in the guide instructs the PM to identify the tasks, or activities, required to\ncomplete the project and the planned start and end date for each task. The specific activities\nrequired to complete the project were not identified for two of 15 projects, and the duration of\nthe activities was not estimated for an additional two projects. Although the activities and their\ndurations were documented for 11 of 15 projects, the level of detail at which this was performed\nvaried widely. The NDF Project Managers Planning Worksheet also requests that the PM\nidentify the issues and risks related to the project. However, risks were not documented during\nthe project planning or execution process for any of the 15 projects.\n\n        The inconsistencies identified occurred because the guide was considered optional\xe2\x80\x94PMs\ndid not have to comply with the instructions in the guide. NDF\xe2\x80\x99s Director stated that it is\nimportant to allow PMs the maximum flexibility in overseeing their projects. The PMs are\nexperienced project managers. In addition, each NDF project has a unique objective, is executed\nin a different country, and involves a certain degree of risk to the safety and lives of those\ncarrying out the project. Given this environment, the Director promotes a culture in which PMs\nare enabled to develop their own project management approach to execute their projects.\n\n        Kearney agrees that the circumstances in which NDF works are unique and inherently\ndifficult. However, the elements necessary for effective project management are relatively\nconsistent across all projects. If projects are managed in an inconsistent manner that is not in\ncompliance with the guide, some key elements of project management could be missed.\nEffective project management helps ensure that a project achieves its mission, is completed on\ntime, and is completed at or below expected costs. By allowing PMs to execute projects ad hoc,\nNDF cannot ensure that it is carrying out its mission to further U.S. nonproliferation efforts in\nthe most effective and efficient manner.\n\n       Recommendation 6. OIG recommends that the Nonproliferation and Disarmament Fund\n       identify key project management controls and implement a policy to require compliance\n       with these key controls.\n\n       Management Response: NDF concurred with this recommendation, stating that it\n       would \xe2\x80\x9cidentify key project management controls and recommend a compliance policy.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has\n       implemented a policy requiring compliance with key project management controls.\n\nExisting FIMS Project Management Capabilities Were Not Used Effectively\n\n        Kearney found that not all PMs were taking full advantage of the FIMS project\nmanagement capabilities currently available. Recent enhancements to FIMS included adding\nthree project management features\xe2\x80\x94Project Issues, Next Actions, and the \xe2\x80\x9cNDF Award Detail\xe2\x80\x9d\nscreen.\n\n\n\n                                             18\n                                        UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n\n         Project Issues and Next Actions\n\n        The project issues and next action features allow PMs to enter project information to\nassist with tracking and monitoring the resolution of any issues that arise during project\nexecution. Kearney identified instances in which projects had encountered issues, but the PMs\nhad not entered those issues into FIMS. For example, one project had been significantly delayed,\nbut these delays were not detailed in FIMS as issues. For each issue, FIMS has a section where\nthe PMs can enter the next actions of the project. For instance, if the project was not performing\non schedule, the PM can enter a planned resolution to keep the project on track. Kearney found\nmany instances where the next action functionality was not used.\n\n         NDF Award Detail\n\n        The \xe2\x80\x9cNDF Award Detail\xe2\x80\x9d screen allows the PMs to enter contract awards and specific\n                                     11\ncontract line item numbers (CLIN). This information assists the PM in tracking funding and\ndeliverable status for each project by CLIN to help ensure that NDF remains within the project\nbudget and receives project deliverables on schedule. When contracts are awarded, the Finance\nOfficer creates an award document in FIMS and links this document to the obligation. For each\naward, PMs should enter the specific award details in the \xe2\x80\x9cNDF Award Detail\xe2\x80\x9d screen, including\nthe CLIN and deliverable number, description, value, due date, and status. Kearney noted 26\ncontracts that were entered as obligations in FIMS but were not identified as awards. Further,\nKearney noted that some awards were entered into FIMS, but the \xe2\x80\x9cNDF Award Detail\xe2\x80\x9d screen\nhad not been populated. For example, an award was created for one project in FIMS, but no\naward deliverable or CLIN information was entered, which made it difficult for the PM to track\nthe award.\n\n         The lack of or inconsistent use of FIMS project management features occurred because\nNDF had not established required fields in FIMS or policies or procedures regarding the PM\xe2\x80\x99s\nuse of FIMS. The Project Issues and Next Actions fields were created so that NDF management\ncould monitor the issues affecting each project. The \xe2\x80\x9cNDF Award Screen\xe2\x80\x9d was created to\nfacilitate the PM\xe2\x80\x99s monitoring of the contract and review of invoices. These are key activities\nfor the PM. Not using the fields for all projects limits NDF management\xe2\x80\x99s oversight capabilities.\n\n         Recommendation 7. OIG recommends that the Nonproliferation and Disarmament Fund\n         develop and implement policies regarding the use of the Financial and Information\n         Management System (FIMS) for project management and, to the extent possible, add\n         controls to FIMS that require the completion of key fields.\n\n         Management Response: NDF concurred with this recommendation, stating that \xe2\x80\x9csome\n         key fields have been identified already\xe2\x80\x9d and that as an \xe2\x80\x9cenhancement to FIMS, more\n         formal project management controls are possible\xe2\x80\x9d and NDF would \xe2\x80\x9cdetermine what\n         controls might add value to the process.\xe2\x80\x9d\n\n11\n  CLINs are established to separate specific deliverables and/or to segregate the contract in another manner, such as\nby labor category.\n\n                                                    19\n                                               UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n\n        OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n        closed when OIG reviews and accepts documentation showing that NDF has developed\n        and implemented a policy regarding the use of FIMS for project management and added\n        key controls to FIMS.\n\nFIMS Lacked Full Project Management Capabilities\n\n        Although NDF developed FIMS to assist with project management, FIMS does not yet\nhave the capabilities to support PMs in managing their projects effectively. The Project\n                                    12\nManagement Body of Knowledge (PMBOK) recommends that organizations document key\nproject elements, including project scope, schedule, cost, quality, and risk, and track the changes\nto these elements as the project is executed. Kearney noted that FIMS did not have the capability\nto document and track these elements.\n\n        Project Scope\n\n         FIMS does not enable PMs to sufficiently document the scope of work for each project or\nthe changes to project scope. Within FIMS, project scope is documented at a high level; that is,\nthe country in which the work is performed and the overall objective is included. However, there\nis no specific place to break down the overall scope into the various tasks or activities required to\nachieve the objective. Additionally, there is no specific place to document changes to the scope.\nFor example, during the implementation of a project in Libya, the scope changed significantly.\nAlthough there were e-mails and memoranda documenting and approving the change in scope\nfor this project, the details of the changes were not documented in FIMS.\n\n         PMBOK states: \xe2\x80\x9cProject Scope Management includes the process required to ensure that\nthe project includes all the work required, and only the work required, to complete the project\nsuccessfully.\xe2\x80\x9d All changes to project scope should be documented, controlled, and monitored\nagainst the scope baseline. The project scope provides a common understanding to all project\nstakeholders of what is expected. Documenting and monitoring changes to the scope help ensure\nthat all stakeholders understand the new project parameters. If scope is not properly managed,\nactivities may be performed that do not support the overall project objective.\n\n        Project Schedule\n\n        FIMS does not have a feature or space to sufficiently document the project schedule or\nmonitor the schedule to evaluate variances from the planned baseline. During its review of 15\nselected projects, Kearney noted that the duration of the project as a whole was not documented\nfor four of the projects reviewed, and the timeframe needed to complete individual project\nactivities was not documented for any of the 15 projects.\n\n\n12\n  A Guide to the Project Management Body of Knowledge (PMBOK\xc2\xae Guide), 4th ed., Project Management Institute,\n2008.\n\n                                                20\n                                           UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n        PMBOK states: \xe2\x80\x9cProject Time Management includes the processes required to manage\ntimely completion of the project.\xe2\x80\x9d Controlling the project schedule is the process of monitoring\nthe status of the project to update project progress. Changes in project schedules may impact\nother project elements, such as project costs. In addition, if timelines are not properly managed,\nthe project may be delayed, increasing the risk that the political environment that facilitated the\nproject will change, and NDF may not be able to complete the project.\n\n       Project Costs\n\n        The funding for the project as a whole is documented in FIMS; however, FIMS does not\nenable PMs to sufficiently document project costs or monitor changes in costs. Within each\nproject, various activities must be accomplished to achieve the project objective. Kearney found\nthat total project funding was not allocated to the various project activities in FIMS. Although\nNDF records obligations, including contracts, in FIMS, the obligations do not align to the\nindividual project activities.\n\n        PMBOK states: \xe2\x80\x9cProject Cost Management includes the processes involved in\nestimating, budgeting, and controlling costs so that the project can be completed within the\napproved budget.\xe2\x80\x9d As with project scope and schedule, project costs may change. For example,\nif additional project activities are incorporated into the project, project costs may increase.\nChanges to project costs should be documented, controlled, and monitored against the project\ncost baseline. If project cost increases are not closely monitored, there may not be sufficient\nfunds available to complete the project. If project costs decrease, there may be funds available\nthat could be used for other purposes but are not because their availability is not known.\n\n       Project Quality\n\n       FIMS does not have the capability to assist PMs to substantiate that project activities are\nperformed in compliance with established specifications. As discussed above, FIMS does not\nenable PMs to track progress against the project budget and schedule. In addition, FIMS does\nnot have other features that would be useful for tracking project deliverables, such as a feature to\nremind PMs when project status reports are due from contractors. FIMS\xe2\x80\x99 current structure\nencourages PMs to assess the success of the project at the invoice level.\n\n        PMBOK states: \xe2\x80\x9cProject Quality Management includes the processes and activities of\nthe performing organization that determine quality policies, objectives, and responsibilities so\nthat the project will satisfy the needs for which it was undertaken.\xe2\x80\x9d If project quality is not\nmanaged, project funds could be wasted on ineffective or insufficient goods and services.\n\n       Project Risk\n\n       Although FIMS includes a feature to document project issues that occur after the project\nhas begun, it does not include a similar feature to document risk identification and the actions\nnecessary to remediate those risks during project planning before significant, negative\nconsequences occur. Kearney noted that PMs were aware of and documented project risks\n\n                                             21\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nthrough e-mails to appropriate project stakeholders, such as the host country, donor countries,\nand contractors. However, these risks were not documented in FIMS.\n\n        PMBOK states: \xe2\x80\x9cProject Risk Management includes the processes of conducting risk\nmanagement planning, identification, analysis, response planning, and monitoring and control on\na project.\xe2\x80\x9d Risk is an uncertain event or condition that, if it occurs, has an effect on at least one\nproject objective, such as scope, schedule, cost, or quality. If project risks are not identified and\nmonitored, NDF may not be able to react quickly if the risks occur, and the success of the project\nmay be jeopardized.\n\n        NDF recently added project management features to FIMS and plans to increase its\nfeatures over time. A project\xe2\x80\x99s success is directly influenced by how effectively project\nrequirements are captured and managed. Because FIMS does not yet facilitate the project\nmanagement process and is lacking key features, PMs document many aspects of projects\noutside of the system. There is a chance that a key project element will not be performed. To\nmeet NDF\xe2\x80\x99s objective of using FIMS to assist with project management activities, FIMS should\ninclude the capability to document and monitor the following project elements:\n\n       \xef\x82\xb7   activities required to accomplish the project objective,\n\n       \xef\x82\xb7   overall project timeline, \n\n       \xef\x82\xb7   activities timeline, \n\n       \xef\x82\xb7   activities cost,\n\n       \xef\x82\xb7   quality measures and milestones, and \n\n       \xef\x82\xb7   risk identification and remediation. \n\n\n       Recommendation 8. OIG recommends that the Nonproliferation and Disarmament Fund\n       (NDF) identify the key project management activities for NDF projects and develop a\n       plan to modify Financial and Information Management System (FIMS) capabilities to\n       support these activities. If NDF determines that it would not be cost effective to upgrade\n       FIMS, NDF should develop and implement a formal process to perform and document\n       these key project management activities outside of FIMS.\n\n       Management Response: NDF concurred that it needed to \xe2\x80\x9cdocument key project,\n       program, and portfolio management activities and to exercise due diligence in examining\n       relevant workflows and documentation requirements and set cost effective and practical\n       standards.\xe2\x80\x9d However, NDF noted that detailed project management \xe2\x80\x9cis carried out by the\n       implementing entity, which may be a foreign government, contractor and/or international\n       organization.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has identified\n       the key project management activities for which it is responsible and developed a plan to\n       modify FIMS to support these activities or developed and implemented a process to\n       perform and document these activities outside of FIMS.\n\n\n                                             22\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\nDocument Maintenance and Retention Need Improvement\n\n        NDF was not always able to readily locate and produce project management\ndocumentation, including documentation to support the obligations and expenses related to each\nproject. Some documents were not in the Finance Office\xe2\x80\x99s project file, and it often took days for\nNDF to locate the correct document. In addition, PMs generally documented decision making,\nproject coordination, and discussion of project issues or changes in e-mails. In some cases,\ne-mail communications were printed and maintained in the project file, but in other instances\nthey were not, and locating a specific e-mail was sometimes difficult and time consuming.\nFurther, some PMs documented, maintained, and printed every document they used, created, or\nprocessed and placed it in the project file. However, other PMs only maintained the \xe2\x80\x9cofficial\xe2\x80\x9d\nproject documents, such as the contract, Statement of Work, MOU, and limited correspondence\nregarding the important decisions that impacted their projects.\n\n        The Office of Management and Budget\xe2\x80\x99s Circular A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility\nfor Internal Controls,\xe2\x80\x9d states that \xe2\x80\x9cmanagement should have a clear, organized strategy with\nwell-defined documentation processes that contain an audit trail, verifiable results, and specify\ndocument retention periods.\xe2\x80\x9d Although the NDF Project Management Guide instructs PMs and\nthe Finance Officer to maintain specific documents and dictates whether those documents should\nbe saved on the internal network or in FIMS, Kearney observed that these guidelines were not\nfollowed.\n\n        Without adequate documentation requirements, NDF cannot ensure that it maintains the\ndocumentation to support project management decisions. In addition, although e-mails in NDF\xe2\x80\x99s\ninternal e-mail accounts are maintained, e-mails in the Department\xe2\x80\x99s e-mail accounts are not\nmaintained indefinitely, and important documentation could be lost. Further, projects are often\nmoved between PMs for workload capacity and specialization reasons. If project files are not\ncomplete and documentation cannot be located, a PM taking over an existing project may not be\naware of the full history of a project, including issues that should be addressed and resolved.\n\n       Recommendation 9. OIG recommends that the Nonproliferation and Disarmament Fund\n       develop and implement procedures to ensure that documentation maintenance and\n       retention policies are followed consistently.\n\n       Management Response: NDF concurred with this recommendation, stating that it\n       would build upon some existing guidelines to \xe2\x80\x9cdetermine appropriate policies and\n       procedures.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has developed\n       and implemented procedures related to document maintenance and retention.\n\nProject Closeout Controls Are Needed\n\n        NDF did not have a control to ensure that projects are closed in a timely manner. NDF\nrecently implemented a project closeout process. This process requires a full reconciliation of\n                                               23\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nthe financial data in FIMS to the data in GFMS and the preparation of a final report. The\nreconciliation is performed to help ensure that financial records in FIMS are correct prior to\nclosing out the project. The final report summarizes the project\xe2\x80\x99s accomplishments and financial\nhistory.\n\n        At the time of this audit, there was a significant backlog of projects to be closed. The\nproject closeout process has proven to be time consuming and can take an unreasonable length of\ntime. Kearney noted that NDF had closed 103 projects since 2010. Additionally, NDF had\ncompleted the financial reconciliation for another 43 projects. However, there were still projects,\nboth country-specific and administrative, inappropriately identified as \xe2\x80\x9cactive\xe2\x80\x9d in FIMS. In fact,\none project was still an active project in FIMS even though the work has been completed and no\npayments have been made since 2008.\n\n        As long as a project is \xe2\x80\x9cactive\xe2\x80\x9d in FIMS, the funds remain assigned to that project. When\nprojects are closed, the funds can be returned to NDF\xe2\x80\x99s allotment for use on other\nnonproliferation activities.\n\n        Because NDF currently is working to close out the backlog of completed projects, no\nformal recommendations are being made specifically related to NDF\xe2\x80\x99s effort. However, it is\nimportant for NDF to continue with its project closeout efforts. To improve the timeliness of\nproject closeouts, NDF should identify ways to perform its closeout procedures more efficiently.\nKearney agrees with the need to reconcile data in FIMS to the data in GFMS to ensure that the\ninformation in FIMS is accurate and complete. However, Kearney noted that an inordinate\namount of time was spent during the reconciliation investigating small dollar differences. NDF\nmanagement could establish a reasonable dollar threshold below which the difference will not\nbe investigated.\n\n       Recommendation 10. OIG recommends that the Nonproliferation and Disarmament\n       Fund develop a standard timeframe for closing out projects and implement a policy to\n       ensure standard timeframes for project closeouts are met or the reasons for delays\n       documented.\n\n       Management Response: NDF concurred with this recommendation, stating that it plans\n       to \xe2\x80\x9cestablish a policy to include a timeline to closeout NDF projects and return remaining\n       funds to the NDF account.\xe2\x80\x9d NDF also noted that the report included administrative funds\n       used for internal operations in the list of active projects and suggested that OIG modify\n       the report to remove these projects. NDF provided OIG with a separate list of the\n       administrative projects, which OIG did not include in Appendix D.\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has developed\n       and implemented a standard timeframe for project closeouts. OIG understands that\n       Kearney included administrative projects in its overall count of projects in the report.\n       However, because NDF included administrative activities in the list of projects that it\n       provided to Kearney for testing purposes, OIG believes it is appropriate to include these\n\n                                             24\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n       activities in the number of projects being performed by NDF. Kearney has noted in the\n       report that the number of projects discussed included administrative projects.\n\nFinding C. Data Integrity and Reporting Capabilities Need Improvement To\nProduce Auditable Financial Reports\n        Kearney found that FIMS contained accurate and complete information on the funds\nreceived, including appropriations, donations, and the amounts approved for each project.\nHowever, the integrity of other data in FIMS was often not sufficient to prepare accurate\nfinancial reports for external users. Specifically, obligations and expenses were not always\naccurately, completely, or timely recorded in FIMS. The discrepancies occurred primarily\nbecause of the lack of clear policies and procedures for recording obligations and expenses in\nFIMS. The discrepancies were not detected and corrected because of the lack of a formal,\nperiodic reconciliation process. Further, Kearney found that donated funds were not clearly\nsegregated by donor country in contractual documents and that FIMS reporting capabilities were\nlimited. Because of the inaccurate data in FIMS and the limitations of the current FIMS reports,\nKearney concluded that FIMS was unable to produce financial reports that could be successfully\naudited.\n\n        Kearney also found that, although NDF had implemented some application security\ncontrols for FIMS, the controls were not adequate. Specifically, NDF did not have a\ncomprehensive application security plan in place, application changes were not adequately\nreviewed, the system administrator had the ability to alter financial data, and NDF had not\nformally approved or implemented the draft contingency plan it developed for FIMS. Without\nadequate application level controls, unauthorized changes to FIMS could be migrated into\nproduction and incorporated into the FIMS configuration baseline. Further, unauthorized\nchanges may alter the processing of financial data and compromise the integrity and reliability of\nthat data. As a result, data may be lost, and extended down time may be necessary to recover the\ndata.\n\nFunds Received Were Accurately, Completely, and Timely Recorded in FIMS\n\n        Kearney found that NDF accurately recorded in FIMS the funds received from\nappropriations and donations and the amounts approved for each project. Appropriated funds are\nrecorded in GFMS and provided to NDF through advices of allotment. NDF records\nappropriations in FIMS at the allotment level. Donated funds are recorded in GFMS by entering\na specific fund symbol and in FIMS by entering the applicable country. NDF records the amount\nof funds approved by Congress for each project in FIMS by project number.\n\n       To test the accuracy and completeness of the appropriations recorded in FIMS, Kearney\nobtained the appropriation legislation for FYs 2009\xe2\x80\x932012 and identified the amount made\navailable to NDF for each of those fiscal years. Kearney compared the amounts in FIMS to the\namounts in the appropriation legislation and identified no differences.\n\n\n\n                                            25\n                                       UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n        To test the accuracy and completeness of the donations recorded in FIMS, Kearney\nobtained a copy of the MOU for each donor country and documentation of the deposits of funds\nreceived from each donor country in FY 2011. Kearney compared the donated amounts recorded\nin FIMS to the amounts listed in the MOUs, as well as to the amounts deposited, and identified\nno differences.\n\n        To test the accuracy of the project funding recorded in FIMS, Kearney obtained the CNs\nfor the 15 selected projects. Kearney compared the project funds recorded in FIMS to the\namounts in the CNs for the 15 projects and identified no differences. To test the completeness of\nthe project funding recorded in FIMS, Kearney obtained a report containing all CNs since 2007\nfrom the Bureau of Legislative Affairs Document Tracking Log System. Kearney identified all\nNDF-related CNs, mapped each NDF project to the corresponding CN, and compared the project\nfunding in FIMS to the CN. Kearney identified no differences. Kearney also determined that\nNDF recorded project funding in a timely manner by comparing the date the funding was\nrecorded in FIMS to the date of the CN for seven of 15 projects.13 Funding for all seven projects\nwas recorded within 15 days after the expiration of the deadline allowed for congressional\nrejection of the CN.\n\nObligations and Expenses Were Not Always Accurately, Completely, or Timely Recorded\nin FIMS\n\n        Although funding was accurately, completely, and timely recorded, Kearney found that\nobligations and expenses recorded in FIMS were not always accurately, completely, or timely\nrecorded. Specifically, obligation amounts in FIMS were not always supported, estimated\nobligations recorded in FIMS were not updated with actual obligation information in a timely\nmanner, and some obligations in GFMS were not recorded in FIMS. Although expenses\nrecorded in FIMS were accurate, they were not recorded in a timely manner, and some expenses\nwere not recorded in FIMS at all.\n\n        Obligations\n\n           Kearney found that obligations recorded in FIMS were not always accurate, complete, or\ntimely. Obligations are definite commitments that create a legal liability of the Government for\npayment. An agency should record an obligation \xe2\x80\x9conly when supported by documentary\nevidence\xe2\x80\x9d of \xe2\x80\x9ca binding agreement between an agency and another person (including an\n            14\nagency).\xe2\x80\x9d An obligation should also be recorded, even in the absence of a binding agreement,\nif it is likely that there will be future outlays, and there is a reasonable estimate of the amount.\nNDF records obligation estimates in FIMS based upon procurement requests. NDF identifies\nthese obligations as estimates by using an indicator \xe2\x80\x9cflag\xe2\x80\x9d in FIMS. When NDF establishes\n\n\n13\n   This test was limited to seven of 15 selected projects because the remaining eight projects were funded prior to\nimplementation of the current version of FIMS. For these projects, FIMS shows the system implementation date as\nthe date funding was recorded and not when it was initially recorded in the previous version of FIMS.\n14\n   31 U.S.C. \xc2\xa7 1501, \xe2\x80\x9cDocumentary Evidence Requirement for Government Obligations.\xe2\x80\x9d\n\n                                                    26\n                                               UNCLASSIFIED\n\x0c                                                    UNCLASSIFIED\n\nformal obligations, such as a contract or purchase order, the actual amount of the obligations\nshould be entered and the estimate \xe2\x80\x9cflag\xe2\x80\x9d removed.\n                                   15\n        Kearney tested 140 obligations, totaling $138 million, recorded in FIMS to determine\nthe accuracy and timeliness of the obligation amounts. As detailed in Table 6, Kearney\nidentified 29 errors.\n\nTable 6. Errors in Recording Obligations\n                                                                            Gross Impact to     Net Impact to\n                                                   Number of\n     Finding                                                                   Obligation         Obligation\n                                                   Obligations\n                                                                            Balance in FIMS    Balance in FIMS\n     The obligation recorded in FIMS\n     was not supported by\n                                                                    17              $647,000            $647,000\n     documentation; therefore, the\n     amount could not be verified.\n     The obligation amount recorded\n     in FIMS did not agree to the\n                                                                      7              236,000             234,000\n     amount in the obligating\n     document.\n     The obligation amount initially\n     recorded in FIMS did not agree\n     to the amount in the obligating                                  5            8,720,000                     0\n     document. NDF eventually\n                           16\n     corrected the amount.\n                                  Total                             29            $9,603,000            $881,000\nSource: Prepared by Kearney based on the results of its tests of obligations.\n\n       An additional nine obligations, each for less than $15,000, were recorded based on e-mail\ncommunications without a formal obligating document. Although Kearney accepted the e-mails\nas support for the amounts obligated, Kearney notes that NDF may want to develop a more\nformal process regarding these low dollar obligations to ensure they are appropriately recorded.\n                                                                     17\n       Kearney tested the timeliness with which 70 obligations were recorded in FIMS and the\nestimate \xe2\x80\x9cflag\xe2\x80\x9d was removed. Of 70 obligations, Kearney identified 52 obligations, totaling\n$68.9 million, in which the estimate \xe2\x80\x9cflag\xe2\x80\x9d was removed between 16 and 803 days after the\n\n15\n   The planned sample size for testing was 180 obligations, totaling $133.6 million. However, the actual sample size\nwas less because the 180 items included deobligations, which were not substantively tested.\n16\n   Kearney noted that the estimated and actual amounts recorded for these obligations, which changed over the life\nof the obligation, did not agree with the documentation supporting the obligations, and no reasonable explanation for\nthe discrepancies was provided. Although corrected by NDF prior to this audit, the discrepancies are indicative of a\nweakness in the controls over recording obligations.\n17\n   This test was limited to 70 of 140 FIMS obligations tested because the other obligations were recorded prior to\nimplementation of the current version of FIMS. For these obligations, FIMS shows the system implementation date\nas the date the obligations were recorded and not when the obligations were initially recorded in the previous\nversion of FIMS.\n\n                                                         27\n                                                    UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\nactual obligation was executed. The average time between executing the obligation and\nremoving the \xe2\x80\x9cflag\xe2\x80\x9d for these 52 obligations was 163 days. Kearney also identified three\nobligations, totaling $5.5 million, in which the estimate \xe2\x80\x9cflag\xe2\x80\x9d was either never used or was\nremoved before the actual obligation was executed.\n\n        Kearney also identified instances in which the obligation amount in FIMS did not match\nthe obligation amount in GFMS. Kearney judgmentally selected 12 NDF ULOs in GFMS\ntotaling $131 million, which accounted for more than 90 percent of NDF\xe2\x80\x99s ULO population at\nthe time of this audit. For these 12 obligations, Kearney reconciled the amounts recorded in\nFIMS to the amounts recorded in GFMS. The amount in FIMS for three of 12 obligations did\nnot agree with the amount obligated according to GFMS. The difference for the three\nobligations was $1.6 million.\n\n        Expenses\n\n         Kearney found that the expenses recorded in FIMS were accurate; however, some\nexpenses were not recorded, and recorded expenses were not documented in a timely manner.\nAn expense is an \xe2\x80\x9coutflow or other using up of resources,\xe2\x80\x9d the benefits from which \xe2\x80\x9capply to an\nentity\'s operations for the current accounting period, but do not extend to future periods.\xe2\x80\x9d18\nFrom FIMS, Kearney selected a sample of 262 expense transactions, totaling $52 million, to test\nfor accuracy. Kearney compared the amount of the expense in FIMS to the invoice amount and\nfound that the 262 expenses were recorded accurately.\n                                                            19\n        Kearney tested the timeliness with which 115 expense transactions were recorded in\nFIMS. Of 115 transactions, Kearney identified 45 transactions, totaling $16.7 million, in which\nthe expense was recorded more than 15 days after the invoice was approved for payment. For\nthese 45 transactions, the average time between the date the invoice was approved and the date\nthe expense was recorded in FIMS was 87 days. In one instance, the expense was not recorded\nin FIMS until 371 days after the invoice was approved for payment. Kearney also identified\neight instances, totaling $2.2 million, in which expenses were recorded in FIMS prior to the\ninvoices being approved for payment. NDF\xe2\x80\x99s Finance Officer enters expenses into FIMS. The\nprocess of recording expenses in FIMS is manual, and it requires a significant amount of the\nFinance Officer\xe2\x80\x99s time. Kearney noted that NDF has three Finance Officer positions, but at the\ntime of this audit, one of the positions was vacant and one Finance Officer had been detailed to\nanother office since January 2009. The one current Finance Officer has other responsibilities,\nand the entry of invoices is not always considered the highest priority.\n\n       To test the completeness of the expense transactions recorded in FIMS, Kearney selected\n45 expenses from GFMS and compared the amount reported in GFMS for each expense to the\namount in FIMS. Of 45 sampled transactions, 15 expenses, with a net impact of $537,000, were\n18\n   Statement of Federal Financial Accounting Standards No. 4, \xe2\x80\x9cManagerial Cost Accounting Concepts and\nStandards for the Federal Government.\xe2\x80\x9d\n19\n   This test was limited to 115 of 262 FIMS expenses tested because the other expenses were recorded prior to\nimplementation of the current version of FIMS. For these expenses, FIMS shows the system implementation date as\nthe date the expense was recorded and not when it was initially recorded in the previous version of FIMS.\n\n                                                 28\n                                            UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nnot recorded in FIMS. The majority of these expenses were for PSC salary payments, which\nwere made by another office in the Department. NDF is not aware of these payments when they\nare made.\n\n         The obligation and expense data in FIMS is used by NDF personnel on a daily basis.\nAccording to the Government Accountability Office\xe2\x80\x99s Standards for Internal Control in the\nFederal Government, \xe2\x80\x9ctransactions should be promptly recorded to maintain their relevance and\nvalue to management in controlling operations and making decisions\xe2\x80\xa6. In addition, control\nactivities help to ensure that all transactions are completely and accurately recorded.\xe2\x80\x9d The errors\nin obligations and expenses in FIMS occurred because NDF did not have sufficient policies or\nprocedures regarding the recording of obligations, particularly miscellaneous obligations, or\nexpenses.\n\n        Further, these errors were not identified and corrected in a timely manner because NDF\xe2\x80\x99s\nprocess of comparing data in FIMS to GFMS is manual, not formalized, and not performed on a\ntimely basis. NDF\xe2\x80\x99s goal is to work with the Department to develop a process to export data\nfrom GFMS and import the data to FIMS. Until that is possible, NDF could improve its method\nfor reconciling FIMS to GFMS by developing a report in FIMS that shows the status of all\nobligations and comparing the amount in FIMS to the Status of Funds report from GFMS\xe2\x80\x99s Data\nWarehouse. NDF could develop a tool or template in Excel to facilitate this comparison. For\ncertain obligations, the Excel template would need to link the FIMS obligation numbers to the\ncorresponding unique identifiers in GFMS.\n\n        When errors, such as incorrect obligations and expenses, occur in FIMS and are not\ncorrected in a timely manner and when estimated obligations are not distinguished from actual\nobligations, FIMS provides incorrect information to PMs and other users of FIMS. For example,\nas of the beginning of FY 2012, GFMS showed that NDF had $72 million more in available\nfunds for obligations than was reported in FIMS.\n\n       Recommendation 11. OIG recommends that the Nonproliferation and Disarmament\n       Fund improve its policies and procedures for recording obligations and expenses in the\n       Financial and Information Management System (FIMS) by developing, at a minimum:\n\n               a) Clarification on the documentation required to record an obligation,\n                  especially miscellaneous obligations.\n               b) Instructions on the proper use of the estimate \xe2\x80\x9cflag.\xe2\x80\x9d\n               c) A standard for an acceptable time between the approval of an expense\n                  transaction and its entry into FIMS.\n\n       Management Response: NDF concurred with this recommendation, stating that it\n       would include a \xe2\x80\x9cchecklist for obligation supporting documentation\xe2\x80\x9d in the Project\n       Manager Users Guide. NDF also planned to \xe2\x80\x9cbuild a tool to compare GFMS and FIMS,\n       when and if GFMS downloads are available.\xe2\x80\x9d Further, NDF planned to include a process\n       for the \xe2\x80\x9cestimated flag\xe2\x80\x9d in its internal policies and enhance FIMS by developing\n       \xe2\x80\x9cautomated periodic reconciliation processes.\xe2\x80\x9d\n\n                                             29\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has developed\n       and implemented improved policies and procedures for recording obligations and\n       expenses in FIMS.\n\n       Recommendation 12. OIG recommends that the Nonproliferation and Disarmament\n       Fund develop and implement policies and procedures for reconciling financial data in the\n       Financial and Information Management System to the financial data in the Global\n       Financial Management System on a periodic basis, including requirements for\n       documenting and reviewing the reconciliation.\n\n       Management Response: NDF concurred with this recommendation, stating that it\n       agrees that it \xe2\x80\x9cshould improve the reconciliation process before the final project\n       closeout.\xe2\x80\x9d However, NDF stated that because of staff limitations and lack of automated\n       data from GFMS, the \xe2\x80\x9creconciliation between GFMS and FIMS is a manual process\n       subject to priorities of workload.\xe2\x80\x9d NDF stated that it will explore the possibility of\n       enhancing FIMS to allow for \xe2\x80\x9cautomated periodic reconciliation processes.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has developed\n       and implemented policies and procedures for reconciling the financial data in FIMS to\n       GFMS.\n\nDonated Funds Should Be More Clearly Identifiable in Contractual Documents\n\n       In FY 2012, NDF received more than $5.9 million in donations from other countries to\nexecute an ongoing project in Libya. As a condition of receiving these funds, the United States\nagreed to keep separate records and accounts for the funds donated. Kearney found that the\ndonated funds received were accounted for separately by donor in FIMS and GFMS. In addition,\nNDF records obligations and expenses against the donated funds by country in FIMS, enabling\nNDF to account for the funds received from each country.\n\n        Although the funds, when received, are recorded separately in FIMS and GFMS, Kearney\nfound that three of four donor countries\xe2\x80\x99 funds were included in the same CLIN under one\ncontract. Within each CLIN there is a separate requisition funded by a specific donation\nidentifiable by the allotment code, and the contractor is aware of this breakout. However, the\nrequisition is not easily identifiable in GFMS, and NDF must rely upon the contractor to allocate\nfunds to the proper donor country. This occurred because the contract for the ongoing project\nusing donated funds was negotiated by A/LM/AQM based upon the request of another office\nwithin the Department. If NDF had been responsible for initiating the procurement request, it\ncould have ensured that a better tracking mechanism for donated funds was included in the\ncontract.\n\n       Recommendation 13. OIG recommends that the Nonproliferation and Disarmament\n       Fund (NDF) develop policies regarding the responsibility of NDF in the contracting\n       process when donated funds are used.\n                                             30\n                                     UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n       Management Response: NDF concurred with this recommendation, stating that it \xe2\x80\x9conly\n       receives donor funds on a project-specific basis, and each project will have unique\n       contractual requirements.\xe2\x80\x9d Therefore, NDF will develop appropriate modalities on a\n       \xe2\x80\x9ccase-by-case basis.\xe2\x80\x9d In addition, NDF stated that it would add procedures to the \xe2\x80\x9cFIMS\n       Quick Reference Guide.\xe2\x80\x9d Further, NDF stated that donated fund \xe2\x80\x9creports are being\n       enhanced and developed in FIMS to include funds, obligations, expenditures, and\n       available balances from the projects.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has developed\n       policies related to identifying donated funds in the contracting process.\n\nFIMS Reporting Capabilities are Limited\n\n        Kearney found that the existing reporting function within FIMS did not have the\ncapability to produce useful and timely reports for donor countries. The majority of the standard\nFIMS reports are financial reports that provide a project\xe2\x80\x99s obligations, expenses, and ULOs.\nAppendix C provides a sample of the standard reports that FIMS produces and the information\nincluded in each report. Kearney concluded that the standard reports generated by FIMS were\ninsufficient to fulfill donor requirements for reliable and complete financial reports. Specifically,\nFIMS does not currently have the ability to:\n\n       \xef\x82\xb7   Produce reports as of a historic point in time or for a particular period of time.\n       \xef\x82\xb7   Track changes to or the deletion of expense transactions or produce a report\n           showing those changes.\n       \xef\x82\xb7   Show the amount of an obligation in the Obligation History Report when an\n           obligation is created.\n       \xef\x82\xb7   Distinguish between estimated and actual obligation amounts in reports.\n       \xef\x82\xb7   Produce reports showing the project\xe2\x80\x99s progress or performance.\n\n        The MOUs with the donor countries all require regular financial reporting on the use of\nthe funds. For example, the MOU between the United States and one donor country requires the\nDepartment to provide \xe2\x80\x9cmonthly reports on the progress of the \xe2\x80\xa6 funded projects and\nactivities\xe2\x80\xa6. The reports are to contain an overview of the projects and activities and a financial\naccounting showing how the funds provided \xe2\x80\xa6 have been allocated and used.\xe2\x80\x9d\n\n        When FIMS was designed in 2008, NDF anticipated using the system primarily for\ninternal monitoring of its budgetary resources. Operational and regulatory requirements have\nexpanded since the system was designed, but FIMS had not been fully updated to meet the\nincreased requirements, including the requirements for external reporting and independent audits.\nKearney noted that NDF had the ability to meet donor country reporting requirements by\nmanually compiling the information from the information contained in GFMS, FIMS, and bureau\ncuff records.\n\n\n                                             31\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n       Recommendation 14. OIG recommends that the Nonproliferation and Disarmament\n       Fund (NDF) identify end-users reporting needs and modify the Financial and Information\n       Management System (FIMS) to meet the reporting needs identified. If NDF determines\n       that it would not be cost-effective to modify FIMS to address certain end-user reporting\n       needs, NDF should document the rationale for making this decision and develop a formal\n       process for manually preparing the required reports.\n\n       Management Response: NDF concurred with this recommendation, stating that it\n       agreed to \xe2\x80\x9cdevelop a plan to identify end-user reporting needs.\xe2\x80\x9d However, NDF stated\n       that it would be able to use the current FIMS functionality to address the recommendation\n       and that \xe2\x80\x9cmodifying FIMS to meet the reporting needs\xe2\x80\x9d may take more time.\n\n       OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n       closed when OIG reviews and accepts documentation showing that NDF has determined\n       end-user reporting needs and has implemented processes to meet those needs.\n\nInaccurate Data and Limitations of FIMS Reports Make Successful Audits of Financial\nReports From FIMS Unlikely\n\n        Because of the inaccurate data in FIMS and the limitations of the FIMS reports, Kearney\nconcluded that FIMS is currently unable to produce financial reports that could be successfully\naudited. NDF\xe2\x80\x99s ultimate goal is to be able to produce auditable financial reports for donors or\nother interested parties using data in FIMS.\n\n        Because the Department does not adequately segregate donations by country in its\ncontracting documents, there is limited visibility over the status of the funds and an increased\nrisk that the contractor performing the project for which the funds were donated may not\nsufficiently report cost by donation. In addition, because some of the data in FIMS is inaccurate,\nNDF may not have an accurate picture of the financial position of the fund, and any decisions\nmade using the FIMS data may be flawed.\n\n        In order to provide financial reports to donor countries, NDF must manually produce the\nreports using data from different sources, which increases the likelihood of errors. If NDF were\nunable to comply with the expectations of donor countries to provide accurate and timely\nfinancial reports, countries may be unwilling in the future to provide additional funds to carry out\nother nonproliferation projects.\n\nFIMS Application Level Controls Need Improvement\n\n        Kearney found that NDF had implemented some controls to protect the data stored in\nFIMS. Specifically, NDF implemented a process to ensure that sensitive information is not\nentered in FIMS, established user access and segregation of duties controls, maintained an audit\nlog to record changes made to FIMS, and developed a draft contingency plan. However, NDF\nhad not implemented certain application level controls. Specifically, NDF did not have a\ncomprehensive application security plan, the system administrator had the ability to alter\n\n                                             32\n                                        UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\nfinancial data, controls over changes made to the application were not sufficient, and the draft\ncontingency plan was not formally approved or implemented.\n\n        NDF has mitigated the risks associated with putting Department financial and project\ninformation online by ensuring that no sensitive data is entered into FIMS. NDF does not\ninclude classified, sensitive but unclassified, proprietary, or personally identifiable information\nin FIMS. NDF had assigned an IT support specialist to review documents to verify that the\ndocuments are not sensitive or classified before the documents are scanned into FIMS.\nHowever, NDF did not have a comprehensive application security plan in place. According to\n                                                      20\nthe National Institute of Standards and Technology (NIST), the purpose of the system security\nplan is to \xe2\x80\x9cprovide an overview of the security requirements of the system and describe the\ncontrols in place or planned for meeting those requirements. The system security plan also\ndelineates responsibilities and expected behavior of all individuals who access the system.\xe2\x80\x9d\n\n        NDF had implemented user access and segregation of duties controls and had\ndocumented the user roles and profiles for staff with FIMS access. User roles and profiles\ndetermine the user\xe2\x80\x99s ability to read, create, edit, delete, view, and modify information in FIMS.\nKearney reviewed all of the user roles and profiles, including those for the PMs and the Finance\nOfficer, and determined that the access rights associated with most user roles and profiles were\nappropriate. However, Kearney found that the system administrator had the ability to alter\n                                                21\nfinancial data. According to NIST standards, an organization should employ \xe2\x80\x9cthe concept of\nleast privilege, allowing only authorized accesses for users (and processes acting on behalf of\nusers) which are necessary to accomplish assigned tasks in accordance with organizational\nmissions and business functions.\xe2\x80\x9d\n\n        NDF had established a Requirements Management Team to represent the interests of\nPMs and the Comptroller when changes to FIMS are being considered. The Requirements\nManagement Team reviews FIMS change requests, makes recommendations for approval by the\nNDF Director, and communicates decisions to the affected groups and individuals. In addition,\nFIMS uses an audit log in which changes to the application are recorded. For example, changes\nto the access rights of a user profile and the creation of a field or addition of a new user were\nlogged. The audit log was maintained for 6 months by Salesforce. Although the audit log\nrecorded changes to the application, the changes were not reviewed by an individual without\nchange authority to ensure that only the changes reviewed by the Requirements Management\nTeam and approved by the NDF Director were made. NIST standards22 require agencies to\nmanage configuration changes to the information system using an organizational process (e.g., a\nchartered Configuration Control Board). Configuration change control involves \xe2\x80\x9cthe systematic\nproposal, justification, implementation, test/evaluation, review, and disposition of changes to the\nsystem, including upgrades and modifications.\xe2\x80\x9d NDF should consider requiring all application\n\n\n20\n   NIST Special Publication 800-18, rev. 1, \xe2\x80\x9cGuide for Developing Security Plans for Federal Information Systems.\xe2\x80\x9d\n21\n   NIST Special Publication 800-53, rev. 3, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems and\nOrganizations.\xe2\x80\x9d\n22\n   Ibid.\n\n                                                   33\n                                              UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\nchanges to be reviewed by an individual without change authority to ensure that the changes\nwere executed in accordance with the NDF review and approval process.\n\n        NDF had developed a draft contingency plan, but the plan had never been formally\napproved or implemented. NIST standards23 require organizations to develop, disseminate, and\nperiodically review \xe2\x80\x9ca formal, documented, contingency planning policy that addresses purpose,\nscope, roles, responsibilities, management commitment, coordination among organizational\nentities, and compliance\xe2\x80\x9d and \xe2\x80\x9cformal, documented procedures to facilitate the implementation\nof the contingency planning policy and associated contingency planning controls.\xe2\x80\x9d\n\n       Without adequate application level controls, unauthorized changes to FIMS could be\nmigrated into production and incorporated into the FIMS configuration baseline, which may alter\nthe processing of financial data and compromise the integrity and reliability of the data. In the\nevent of a power outage because of an external environmental factor, such as a natural disaster, a\nsystem failure may occur. Without a formal, approved contingency plan, data may be lost, and\nrecovery efforts may result in extended down time.\n\n             Recommendation 15. OIG recommends that the Nonproliferation and Disarmament\n             Fund prepare a comprehensive system security plan for the Financial and Information\n             Management System.\n\n             Management Response: NDF concurred with this recommendation, stating that it was\n             \xe2\x80\x9cworking on the accreditation and certification process.\xe2\x80\x9d In addition, NDF stated that it\n             is modifying the current contract for FIMS services \xe2\x80\x9cto add funding for the system\n             security plan.\xe2\x80\x9d\n\n             OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n             closed when OIG reviews and accepts documentation showing that NDF has developed a\n             comprehensive system security plan.\n\n             Recommendation 16. OIG recommends that the Nonproliferation and Disarmament\n             Fund review the permissions of all Financial and Information Management System users\n             and verify that their access privileges are consistent with their assigned job functions and\n             responsibilities.\n\n             Management Response: NDF concurred with this recommendation.\n\n             OIG Reply: OIG considers the recommendation resolved. The recommendation can be\n             closed when OIG reviews and accepts documentation showing that NDF has reviewed\n             and verified the access privileges of FIMS users.\n\n\n\n\n23\n     Ibid.\n\n                                                  34\n                                             UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\nRecommendation 17. OIG recommends that the Nonproliferation and Disarmament\nFund assess its current change control process for the Financial and Information\nManagement System and determine whether additional reviews are required.\n\nManagement Response: NDF concurred with this recommendation.\n\nOIG Reply: OIG considers the recommendation resolved. The recommendation can be\nclosed when OIG reviews and accepts documentation showing that NDF has assessed its\ncurrent change control process.\n\nRecommendation 18: OIG recommends that the Nonproliferation and Disarmament\nFund finalize and implement its contingency plan for the Financial and Information\nManagement System.\n\nManagement Response: NDF concurred with this recommendation, stating that its\ncurrent information technology contract \xe2\x80\x9cincludes a provision for a contingency plan in\nFIMS.\xe2\x80\x9d NDF stated that the \xe2\x80\x9cDisaster Recovery and Data Backup services,\xe2\x80\x9d which are\nprovided by SalesForce, have \xe2\x80\x9cbeen shown to satisfy NIST standards in regards to the\nprevention of loss of data.\xe2\x80\x9d\n\nOIG Reply: OIG considers the recommendation resolved. The recommendation can be\nclosed when OIG reviews and accepts documentation showing that NDF has developed a\ncontingency plan for FIMS.\n\n\n\n\n                                    35\n                               UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n                                 List of Recommendations\nRecommendation 1. OIG recommends that the Nonproliferation and Disarmament Fund\ndevelop and implement a standardized procedure to help ensure compliance with contract\ninitiation and modification documentation and approval requirements.\n\nRecommendation 2. OIG recommends that the Nonproliferation and Disarmament Fund\nimprove the invoice approval process to ensure that project managers receive and maintain the\nappropriate documentation to support their certification of the receipt of goods or services.\n\nRecommendation 3. OIG recommends that the Nonproliferation and Disarmament Fund\ndevelop an internal process to review unliquidated obligations on a periodic basis and to validate\nthe quarterly list of unliquidated obligations provided by the Bureau of the Comptroller and\nGlobal Financial Services in a timely manner.\n\nRecommendation 4. OIG recommends that the Nonproliferation and Disarmament Fund\ndevelop and implement a formal process to close out contracts in a timely manner.\n\nRecommendation 5. OIG recommends that the Nonproliferation and Disarmament Fund\ndevelop a process to formally document the projects for which the \xe2\x80\x9cnotwithstanding authority\xe2\x80\x9d is\nused, including when it is invoked to override portions of the Federal Acquisition Regulation.\n\nRecommendation 6. OIG recommends that the Nonproliferation and Disarmament Fund\nidentify key project management controls and implement a policy to require compliance with\nthese key controls.\n\nRecommendation 7. OIG recommends that the Nonproliferation and Disarmament Fund\ndevelop and implement policies regarding the use of the Financial and Information Management\nSystem (FIMS) for project management and, to the extent possible, add controls to FIMS that\nrequire the completion of key fields.\n\nRecommendation 8. OIG recommends that the Nonproliferation and Disarmament Fund (NDF)\nidentify the key project management activities for NDF projects and develop a plan to modify\nFinancial and Information Management System (FIMS) capabilities to support these activities.\nIf NDF determines that it would not be cost effective to upgrade FIMS, NDF should develop and\nimplement a formal process to perform and document these key project management activities\noutside of FIMS.\n\nRecommendation 9. OIG recommends that the Nonproliferation and Disarmament Fund\ndevelop and implement procedures to ensure that documentation maintenance and retention\npolicies are followed consistently.\n\nRecommendation 10. OIG recommends that the Nonproliferation and Disarmament Fund\ndevelop a standard timeframe for closing out projects and implement a policy to ensure standard\ntimeframes for project closeouts are met or the reasons for delays documented.\n\n                                            36\n                                       UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\nRecommendation 11. OIG recommends that the Nonproliferation and Disarmament Fund\nimprove its policies and procedures for recording obligations and expenses in the Financial and\nInformation Management System (FIMS) by developing, at a minimum:\n\n       a) Clarification on the documentation required to record an obligation, especially\n          miscellaneous obligations.\n       b) Instructions on the proper use of the estimate \xe2\x80\x9cflag.\xe2\x80\x9d\n       c) A standard for an acceptable time between the approval of an expense transaction and\n          its entry into FIMS.\n\nRecommendation 12. OIG recommends that the Nonproliferation and Disarmament Fund\ndevelop and implement policies and procedures for reconciling financial data in the Financial\nand Information Management System to the financial data in the Global Financial Management\nSystem on a periodic basis, including requirements for documenting and reviewing the\nreconciliation.\n\nRecommendation 13. OIG recommends that the Nonproliferation and Disarmament Fund\n(NDF) develop policies regarding the responsibility of NDF in the contracting process when\ndonated funds are used.\n\nRecommendation 14. OIG recommends that the Nonproliferation and Disarmament Fund\n(NDF) identify end-users reporting needs and modify the Financial and Information\nManagement System (FIMS) to meet the reporting needs identified. If NDF determines that it\nwould not be cost-effective to modify FIMS to address certain end-user reporting needs, NDF\nshould document the rationale for making this decision and develop a formal process for\nmanually preparing the required reports.\n\nRecommendation 15. OIG recommends that the Nonproliferation and Disarmament Fund\nprepare a comprehensive system security plan for the Financial and Information Management\nSystem.\n\nRecommendation 16. OIG recommends that the Nonproliferation and Disarmament Fund\nreview the permissions of all Financial and Information Management System users and verify\nthat their access privileges are consistent with their assigned job functions and responsibilities.\n\nRecommendation 17. OIG recommends that the Nonproliferation and Disarmament Fund\nassess its current change control process for the Financial and Information Management System\nand determine whether additional reviews are required.\n\nRecommendation 18. OIG recommends that the Nonproliferation and Disarmament Fund\nfinalize and implement its contingency plan for the Financial and Information Management\nSystem.\n\n\n\n\n                                              37\n                                         UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n                                                                                      Appendix A\n\n                                    Scope and Methodology\n\n       In February 2012, the Nonproliferation and Disarmament Fund (NDF) requested a\nperformance audit to assess the design and effectiveness of the contracting and project\nmanagement control environments and to evaluate the integrity of the data in its Financial and\nInformation Management System (FIMS) and its ability to produce auditable reports. An\nexternal audit firm, Kearney & Company, P.C. (Kearney), acting on behalf of the Office of\nInspector General, performed this audit.\n\n       Kearney conducted this performance audit from March\xe2\x80\x93July 2012 in Washington, DC.\nKearney planned and performed the audit in accordance with performance audit requirements in\nthe Government Accountability Office\xe2\x80\x99s Government Auditing Standards: 2011 Revision.\nThese standards required Kearney to obtain sufficient, appropriate evidence to provide a\nreasonable basis for findings and conclusions. The sufficiency and appropriateness of evidence\nneeded and tests of evidence related directly to the objectives and scope of the audit. Kearney\nbelieves that the evidence obtained provides a reasonable basis for its findings and conclusions\nbased on the audit objectives.\n\n        To obtain background information for this audit, Kearney researched and reviewed the\nFederal Acquisition Regulation, the Department of State Acquisition Regulation, and Federal\nappropriations law. Kearney reviewed industry standards relating to project management, such\nas those developed by the Project Management Institute in the Project Management Body of\nKnowledge. Kearney also reviewed standards for internal control, as it relates to information\nsystems, as documented by the National Institute of Standards and Technology (NIST).\n\n        Kearney met with NDF personnel and contractors to obtain an understanding of NDF\xe2\x80\x99s\nprocesses related to contracting and project management and to obtain an understanding of the\ncurrent use of FIMS. Kearney also met with personnel from Acumen, the vendor responsible for\ndesigning and maintaining FIMS, to obtain an understanding of the configuration of the system.\nKearney reviewed the Memorandums of Understanding between the United States and the\nvarious countries that have donated funds to support the implementation of NDF\xe2\x80\x99s project in\nLibya. Meetings were held with individuals outside NDF to assist Kearney in identifying the\nrisks related to NDF\xe2\x80\x99s project management and contracting processes.\n\n        Based upon its preliminary work, Kearney divided the contracting process review into\nfive subprocesses: contract initiation, contract modification, invoice approval, contract closeout,\nand unliquidated obligation (ULO) monitoring. Kearney identified the risks within each of these\nsubprocesses and the controls in place to address those risks. Findings were noted when\nidentified risks were not mitigated by controls. To assess control design, Kearney reviewed\ndocumentation for all the contracts within one project. Additionally, Kearney reviewed all\nULOs without activity since July 2011 and inquired as to their validity to assess the design of the\nULO monitoring controls. For all controls found to be designed effectively, Kearney developed\nprocedures to test the operation of these controls. (See the Detailed Sampling Methodology\nsection in this appendix for additional information on sample selection.) Controls that were\n                                                 38\n                                         UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nfound to be ineffectively designed, such as the ULO monitoring control, were not tested and\nfindings were noted.\n\n        Kearney noted during its preliminary work that formal control processes regarding\nproject management had not been mandated by the NDF. Kearney sought to determine whether\nNDF\xe2\x80\x99s informal project management process addressed all key aspects of project management as\narticulated by industry standards. Therefore, Kearney planned procedures to review\ndocumentation to determine whether these key aspects were met. Specifically, Kearney assessed\nthe documentation of the scope, budget, and timeline of the project; the support for and\ndocumentation of changes to the scope, budget, and timeline of the project; the identification and\ntracking of project issues; the identification of project risks; and the monitoring of the project.\nKearney obtained three listings of projects (active, closed, and closing) from FIMS as of April\n24, 2012. The active projects were considered to be most relevant to the objectives of the audit.\nBased upon planning discussions, Kearney learned that certain high-profile projects were in the\nclosed or closing status. Therefore, Kearney included these projects when selecting samples for\ncontrol testing. (See the Detailed Sampling Methodology section in this appendix for additional\ninformation on sample selection.)\n\n        Based upon its preliminary work, Kearney determined the key data fields in FIMS to\naddress the audit objectives. Specifically, Kearney concluded that overall funding\n(Appropriations and Donations), project funding (congressional notifications), obligations, and\nexpenses were key data fields for the audit. Kearney performed procedures to determine the\naccuracy and completeness of the data recorded in FIMS. For appropriations, the amounts\nrecorded since 2009 were traced and agreed to the appropriation legislation. For donations, the\ncurrent balance was agreed to wire transfer documentation. The completeness of new project\nfunding was tested by tracing all projects begun since 2007 to FIMS. For the other fields,\nKearney validated the amounts by performing substantive tests. When possible, control samples\nwere leveraged for these procedures; otherwise, new samples were selected from either FIMS or\nthe Department\xe2\x80\x99s Global Financial Management System (GFMS). (See the Detailed Sampling\nMethodology section in this appendix for additional information on sample selection.) Kearney\nalso reviewed the reporting capabilities in FIMS and compared them to internal and external end-\nuser needs.\n\n       In order to draw conclusions regarding data integrity and reporting capabilities, it was\nnecessary to determine whether the information technology control environment was sufficient.\nKearney identified the applicable aspects of NIST and performed procedures to assess the\ncontrols.\n\nUse of Computer-Processed Data\n\n        The audit team used computer-processed data from the Department during this audit.\nKearney obtained listings of projects from FIMS. Kearney selected a sample of projects and\ntested the project funding amounts reported in FIMS. For each project Kearney obtained a\nlisting of the obligations and related expenses. Kearney tested these fields during fieldwork.\nIssues identified are detailed in the Audit Results section, Finding C. Additionally, Kearney\nobtained FY 2011 expense information from GFMS and a listing of ULOs from the GFMS\n                                                 39\n                                         UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\nreporting tool Data Warehouse. The Department has controls in place to ensure that the\nexpenses recorded in GFMS are accurate and complete. Kearney is comfortable using GFMS to\nobtain a population of transactions for sampling. Kearney has performed procedures to verify\nthat the listing of ULOs from the GFMS Data Warehouse as part of the FY 2012 Financial\nStatement audit and has concluded that the listing is sufficiently reliable for sample selection\npurposes.\n\nWork Related to Internal Controls\n\n        Kearney performed steps to assess the adequacy of internal controls related to the areas\naudited. Specifically, Kearney gained an understanding of and tested the controls over contract\nmanagement, project management, and the integrity of data in FIMS. Work performed on\ninternal controls during the audit is detailed in the Audit Results section of the report.\n\nDetailed Sampling Methodology\n\n       The sampling objectives were to determine\n\n       \xef\x82\xb7\t   whether the controls identified by Kearney as effectively designed for contract\n            initiation, contract modification, vendor invoice approval, travel expense approval,\n            and contract closeout were functioning as designed;\n       \xef\x82\xb7    whether NDF\xe2\x80\x99s informal project management process addressed key aspects of\n            project management as articulated by industry standards;\n       \xef\x82\xb7    the accuracy of the project funding, obligation, and expense data recorded in FIMS;\n            and\n       \xef\x82\xb7    the completeness of the obligation and expense data recorded in FIMS.\n\n       Identification of Universes\n\n       Several universes (or populations) were utilized to aid in determining samples for testing.\nHowever, the starting point from which most of the sampling and concomitant testing emanated\nfrom was the universe of NDF projects, which are categorized as active, closing, or closed in\nTable 1.\n\n            Table 1. Financial and Information Management System Project\n            Universe\n                                                                           Dollar Value of\n                            Status                    Number of Projects\n                                                                              Projects\n                            Active                            46                $322,716,955\n                            Closing                           43                 104,669,996\n                            Closed                            103                107,636,759\n                             Total                            192               $535,023,710\n            Source: Prepared by Kearney based on FIMS data.\n\n\n\n\n                                                   40\n                                              UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n        The FIMS universe of obligation and expense transactions was not readily available for\ncontrol and accuracy testing. However, Kearney was able to obtain a listing of all obligation and\nexpense transactions for the selected projects to facilitate sample selection and testing.\n\n       To obtain the universe of NDF\xe2\x80\x99s current ULOs for completeness testing, Kearney\nobtained the ULO Database as of March 31, 2012, from the GFMS Data Warehouse. The\nDatabase included all ULOs across the Department. Therefore, to obtain the NDF universe,\nKearney identified all ULOs recorded for NDF.1 Kearney summarized the ULOs by obligation\nnumber and established date. Summarized in this manner, there were 98 NDF ULOs as of\nMarch 31, 2012, totaling approximately $144 million, as shown in Table 2.\n\n              Table 2. Global Financial Management System Universe of\n              Unliquidated Obligations\n                 Count            Obligated                     Spent              Available\n                     98            $143,454,609                 $73,695,867          $69,758,742\n              Source: Prepared by Kearney based on GFMS data.\n\n        To obtain the universe of expense transactions recorded in GFMS for completeness\ntesting, Kearney obtained the GFMS Detail Extraction Report from the GFMS Data Warehouse\nas of June 5, 2012. The detail covered the period from October 1, 2011, to April 30, 2012.\nThere were 623 expense transactions, totaling approximately $70 million in gross expenses,\nrelated to NDF, as shown in Table 3.\n\n                 Table 3. Global Financial Management System Universe of\n                 Expense Transactions\n                                              Gross Impact                 Net Impact\n                         Count\n                                              to Expenses2                 to Expenses\n                          623                  $70,361,665                 $20,702,397\n                 Source: Prepared by Kearney based on GFMS data.\n\n\n        Selection of Samples for Testing\n\n       Kearney predominately used a nonstatistical sampling method known as judgment\nsampling throughout this audit, and this included selecting the projects for review from the\nprimary universe utilized in this audit. Because this method uses discretionary criteria to effect\nsample selection, the audit team was able to use information from its preliminary work to aid in\nmaking informed selections for testing.\n\n\n\n1 The treasury symbols 1911_X1075.0 and 1911X1071.0 are unique to the NDF. Therefore, these were used to\n\nisolate the population.\n\n2 The gross impact to expenses shows the absolute value of the transactions recorded. Therefore, increases and \n\ndecreases are both treated the same when calculating this amount. When calculating the net impact, increases are \n\noffset by decreases recorded. \n\n\n                                                   41\n                                              UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n        In selecting the projects for testing, Kearney focused on active projects with the largest\ndollar value. In addition, Kearney targeted recently closed projects and one project currently in\nthe process of being closed out. As shown in Table 4, Kearney selected 15 projects for testing or\nabout 8 percent of 192 total projects, which encompassed approximately 36 percent of the total\ndollar value of all NDF projects.\n\n                  Table 4. Financial and Information Management System Projects\n                  Selected for Testing\n\n                    Project Number              Status in FIMS       Total Funding\n\n                         NDF-236                      Closed                  $234,205\n                         NDF-240                      Closed                   950,000\n                         NDF-253                      Closed                   554,000\n                         NDF-256                      Closed                 1,000,000\n                         NDF-263                     Closing                25,000,000\n                         NDF-270                      Closed                   179,330\n                         NDF-272                      Active                20,000,000\n                         NDF-273                      Active                10,000,000\n                         NDF-274                      Active                25,000,000\n                         NDF-285                      Active                12,625,000\n                         NDF-288                      Active                26,000,000\n                         NDF-292                      Active                17,000,000\n                         NDF-294                      Active                16,000,000\n                         NDF-295                      Active                34,300,000\n                         NDF-915                      Active                 2,500,000\n                           Total                                          $191,342,535\n                  Source: Prepared by Kearney based on FIMS data.\n\n\n        After selecting a sample of projects, Kearney conducted various tests to accomplish the\nsampling objective. Areas of testing included the project management process; the accuracy of\nproject funding; controls over contract initiation, modification, and closeout; the accuracy of\nobligation transactions; controls over vendor invoice and travel expense approval; and the\naccuracy of expense transactions. The testing of the project management process and the\naccuracy of project funding are at the project level; therefore, additional procedures were not\nnecessary to identify the transactions for testing.\n\n         For each of the 15 selected projects, Kearney first identified the project status in FIMS\n(i.e., active, closing, and closed) and the associated number of contract initiations, modifications\nand closeouts. For all active projects, contract initiations, modifications, and closeouts were\n                                                 42\n                                            UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\n\nreviewed if applicable. However, Kearney excluded the contract initiations and modifications\nrelated to closing and closed projects because NDF did not maintain the presolicitation files\nrequired for initiation and modification testing for these projects. Also, Kearney noted that\ncontracts within closing and closed projects were executed prior to the formalization of the NDF\ncontracting controls. Table 5 provides a summary of the transactions identified for tests of\ninitiation, modification, and closeout controls. All transactions that were identified were tested.\n\n        Table 5. Financial and Information Management System Contract Transactions\n        for the Sampled Projects\n\n            Project          Status in         Contract            Contract\n                                                                                          Contract Closeouts\n            Number            FIMS            Initiations         Modifications\n\n\n           NDF-236             Closed               *                     *                           1\n           NDF-240             Closed               *                     *                           2\n           NDF-253             Closed               *                     *                           0\n           NDF-256             Closed               *                     *                           2\n           NDF-263            Closing               *                     *                           4\n           NDF-270             Closed               *                     *                           1\n           NDF-272             Active               6                     5                           0\n           NDF-273             Active               5                     2                           3\n           NDF-274             Active               1                     3                           1\n           NDF-285             Active               0                     0                           0\n           NDF-288             Active               0                     0                           0\n           NDF-292             Active               0                     1                           0\n           NDF-294             Active               0                     0                           0\n           NDF-295             Active               6                     2                           0\n           NDF-915             Active               6                     4                           0\n                      \xe2\x80\xa0\n            Various             N/A                 4                   N/A                         N/A\n              Total                                 28                   17                          14\n        Source: Prepared by Kearney based on FIMS data and review of documentation supporting transactions.\n        *This symbol denotes that Kearney did not review contract initiations and modifications for closing and closed\n        projects; NDF did not maintain the files required for this testing.\n        \xe2\x80\xa0\n          In addition to the projects identified in Table 5, for each contract modification identified within the population,\n        Kearney ensured that the initial contract was also tested. In certain instances the initial contract was recorded under a\n        different project number. When this occurred, Kearney added the contract to the list of items for testing.\n\n\n\n\n                                                       43\n                                                  UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n        To test the accuracy of obligations in FIMS, Kearney obtained all the nontravel\nobligations recorded in FIMS3 for each of the 15 selected projects, as shown in Table 6. For\neach obligation, Kearney obtained supporting documentation and determined whether the\namount was accurately recorded in FIMS.\n\n          Table 6. Financial and Information Management System NonTravel Obligations\n          for the Sampled Projects\n                 Project Number              Number of Obligations                 Amount\n                     NDF-236                                 5                         $215,523.31\n                     NDF-240                                11                          899,242.82\n                     NDF-253                                 2                          514,000.00\n                     NDF-256                                 7                          899,300.00\n                     NDF-263                                11                       19,366,315.59\n                     NDF-270                                 3                         $167,930.00\n                     NDF-272                                35                       21,617,303.77\n                     NDF-273                                20                        9,584,950.41\n                     NDF-274                                 7                        1,062,107.87\n                     NDF-285                                 1                       12,625,000.00\n                     NDF-288                                 2                       25,500,000.00\n                     NDF-292                                 2                        3,164,376.35\n                     NDF-294                                 1                       16,000,000.00\n                     NDF-295                                15                       24,757,262.47\n                     NDF-915                                18                        1,680,849.64\n                       Total                                140                   $138,054,162.23\n          Source: Prepared by Kearney based on FIMS data.\n\n\n        To test controls related to vendor invoices and travel expenses and the accuracy of\nexpense transactions in FIMS, Kearney divided the non-PSC expense transactions4 for each\nproject selected between vendor invoices and travel expenses, as shown in Table 7. For each\ntested vendor invoice transaction, Kearney obtained supporting documentation for the\neffectiveness of the expense approval controls. For each tested travel expense transaction,\nKearney reviewed supporting documentation to verify the travel payment was properly\n\n3 Kearney excluded travel obligations from this accuracy testing; the accuracy of these obligations was covered\nthrough completeness procedures. Kearney also excluded deobligations because it was not considered necessary to\ntest the accuracy of these transactions.\n4 Kearney excluded PSC expense transactions from testing because these payments are not processed by NDF;\ntherefore, they are not subject to NDF\xe2\x80\x99s control environment. Moreover, NDF would not have the supporting\ndocumentation required to substantiate the accuracy of the payments.\n\n                                                   44\n                                              UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\n\napproved. Both vendor invoice and travel transactions were tested to ensure the amount\nrecorded in FIMS matched supporting documentation. Kearney tested all the non-PSC expense\ntransactions for all 15 of the selected projects with the exception of projects NDF-272 and\nNDF-273. Because of the extensive volume of transactions for these two projects, Kearney\nrandomly sampled instead. Specifically, Kearney sampled and tested 102 transactions, totaling\n$2,903,292, of 373 transactions, totaling $14,638,238, for NDF-272 and 18 transactions, totaling\n$4,667,255, of 75 transactions, totaling $4,426,370, for NDF-273.\n\n Table 7. Financial and Information Management System Non-Personal Services\n Contractor Expense Transactions for the Sampled Projects\n                                            Non-PSC Expense Transactions Tested\n\n   Project             Vendor Invoices                   Travel Expenses                 Total Tested\n   Number\n                 Number of                             Number of                 Number of\n                                     Amount                          Amount                       Amount\n                Transactions                          Transactions              Transactions\n\n  NDF-236             15               $215,023            5           $9,184       20              $224,207\n  NDF-240             15                886,807            5            7,381       20                  894,188\n  NDF-253              2                220,818            0               0         2                  220,818\n  NDF-256             10                805,039            9           24,270       19                  829,309\n  NDF-263             14             19,366,316            0               0        14            19,366,316\n  NDF-270              7                167,440            0               0         7                  167,440\n  NDF-272             50              2,814,605           52           88,687       102            2,903,292\n  NDF-273              5              4,652,531           13           14,724       18             4,667,255\n  NDF-274              6                591,349            0               0         6                  591,349\n  NDF-285              1             12,625,000            0               0         1            12,625,000\n  NDF-288              1                500,000            0               0         1                  500,000\n  NDF-292              1              3,000,000            0               0         1             3,000,000\n  NDF-294              0                          0        0               0         0                       0\n  NDF-295              5              5,744,122           19           25,795       24             5,769,917\n  NDF-915             27                341,255           103           9,184       27                  341,255\n    Total             159           $51,930,304           103        $170,041       262          $52,100,346\nSource: Prepared by Kearney based on FIMS data.\n\n       To test the completeness of obligations in FIMS, Kearney judgmentally selected 12 NDF\nULOs from the ULO Database that was obtained from GFMS for testing, as shown in Table 8.\nKearney targeted ULOs with the highest gross obligations; consequently, these 12 ULOs totaled\napproximately $131 million, thereby encompassing more than 90 percent of NDF\xe2\x80\x99s total\nobligated funds of approximately $143 million as of March 31, 2012.\n\n\n                                                       45\n                                                  UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n           Table 8. Global Financial Management System Sample of Unliquidated\n           Obligations\n              Count              Obligated                   Spent            Available\n                  12              $130,675,482               $65,352,985        $65,322,497\n           Source: Prepared by Kearney based on GFMS data.\n\n\n       To test the completeness of the expense transactions recorded in FIMS, Kearney selected\n45 expenses, as shown in Table 9, from GFMS and compared the amount reported in GFMS for\neach expense to the amount in FIMS.\n\n                  Table 9. Global Financial Management System Sample of\n                  Expense Transactions\n                                      Net Impact to               Gross Impact to\n                     Count\n                                        Expenses                     Expenses\n                            45             $31,560,359                    $31,594,270\n                  Source: Prepared by Kearney based on GFMS data.\n\n\n\n\n                                                46\n                                           UNCLASSIFIED\n\x0c                                                   UNCLASSIFIED\n\n\n                                                                                                              Appendix B\n\n                                  Assessment of Contracting Controls\n\n Contracting                                                                                              Operating\n                                                 Control Description\n   Process                                                                                                Effectively?\n                     Once the procurement request is completed by the project manager (PM), it\n    Contract\n                     is submitted to the Director of the Nonproliferation and Disarmament Fund                     No\n    Initiation\n                     (NDF) for review and approval.\n                     Prior to executing a contract modification, the PM approves or initiates the\n                     modification and provides it to the NDF Comptroller to submit through the\n   Contract          Ariba module in the Integrated Logistics Management System.5 Included\n                                                                                                                   No\n  Modification       in this request are the terms of the modification and appropriate supporting\n                     evidence of the need for contract modification. The change requisition is\n                     approved by the NDF Director or Deputy Director.\n                     The PM must sign off on the PM Certification of Deliverables and/or\n                     Services and identify if the items listed on the invoice were fully, partially,\n                                                                                                                   No\n                     or not received through review of adequate evidence in order to approve\n                     and invoice for payment.\n     Invoice         Available funding for each expense is verified by the NDF Comptroller and\n    Approval         documented through issuance of a memorandum or cable to the Bureau of\n                                                                                                                   No\n                     the Comptroller and Global Financial Services in Charleston or to the\n                     embassy approving payment.\n                     For Travel Orders, the NDF Comptroller approves the voucher as\n                     evidenced by sign-off on the Travel Voucher.                                                  Yes\n\n                     For contracts being closed with balances remaining on the obligations, the\n                     PM obtains a formal release letter from the vendor to ensure no future                        Yes\n                     payments are required.\n\n                     The PM completes a contracting officer\xe2\x80\x99s representative (COR)\n   Contract          Completion Certificate, certifying to the Bureau of Administration, Office\n   Closeout          of Logistics Management, Office of Acquisitions Management                                    Yes\n                     (A/LM/AQM), Contract Closeout Team that all work has been completed\n                     and final payment has been made.\n                     The PM completes a COR Closeout Checklist certifying all required\n                     closeout items have been accomplished and in the appropriate order                            Yes\n                     outlined in the Memorandum of Understanding with A/LM/AQM.\nSource: Prepared by Kearney based on its understanding of the NDF control environment and its tests of controls.\n\n\n\n\n5 The Integrated Logistics Management System is the Department\xe2\x80\x99s procurement system. Requests submitted by\nNDF are sent to A/LM/AQM using this system. The Integrated Logistics Management System interfaces with the\nDepartment\xe2\x80\x99s Global Financial Management System.\n\n\n                                                        47\n                                                   UNCLASSIFIED\n\x0c                                                   UNCLASSIFIED\n\n\n                                                                                                             Appendix C\n\n                    Notable Financial and Information Management System Reports\n\n      Report                                                     Data Included\n                       This report lists the following information for each fiscal year:\n                            \xef\x82\xb7   Appropriation                                  \xef\x82\xb7  New Available Balance\n  FY Available              \xef\x82\xb7   Appropriation Adjustments                      \xef\x82\xb7  Notified Amount\n Balance Report             \xef\x82\xb7   Total New Budget Authority                     \xef\x82\xb7  Obligated Amount\n with Obligation            \xef\x82\xb7   Administrative Costs                           \xef\x82\xb7  Amount Returned to Nonproliferation\n                            \xef\x82\xb7   Previous Year Rollover Balance                    and Disarmament Fund (NDF)\n                                                                             \xef\x82\xb7 Balance Remaining\n                       This report lists the following information for each project which has been notified:\n                            \xef\x82\xb7   Project Number                              \xef\x82\xb7 Other [Non-NDF] Funding\n                            \xef\x82\xb7   Office of Management and Budget             \xef\x82\xb7 Obligated Amount\n   All Notified\n                                Category                                    \xef\x82\xb7 Amount Spent\n  Projects Status          \xef\x82\xb7 Project Description                            \xef\x82\xb7 Amount Returned to External Account\n     Report                \xef\x82\xb7 Countries                                      \xef\x82\xb7 Amount Returned to NDF Account\n                           \xef\x82\xb7 Proposal Amount                                \xef\x82\xb7 Date Returned to NDF Account\n                           \xef\x82\xb7 Notified Amount                                \xef\x82\xb7 Financial Status\n                           \xef\x82\xb7 Date Notified                                  \xef\x82\xb7 Work Status\n                           \xef\x82\xb7 Fiscal Year Funding Used\n                       This report can be run for each NDF Project. It contains the following summary information\n                       about a particular project:\n                            \xef\x82\xb7   NDF Funding                                  \xef\x82\xb7 Interest Paid\n                            \xef\x82\xb7   External Funding (Including Listing          \xef\x82\xb7 Actual Spent\n                                the Source)                                  \xef\x82\xb7 Available Balance\n                             \xef\x82\xb7  Overall Project Funding                      \xef\x82\xb7 Notified\n  Project Detail             \xef\x82\xb7  Amount Obligated                             \xef\x82\xb7 Financial Status\n     Report                  \xef\x82\xb7  Allotment Level Expenses                     \xef\x82\xb7 Amount Returned to NDF Account\n                       It also includes the following information for each obligation recorded to the project:\n                            \xef\x82\xb7   Obligation Number                              \xef\x82\xb7    Actual Spent\n                            \xef\x82\xb7   Obligation Type                                \xef\x82\xb7    Unliquidated Balance\n                            \xef\x82\xb7   Description                                    \xef\x82\xb7    Allotment Level Expense\n                            \xef\x82\xb7   Amount Obligated                               \xef\x82\xb7    Interest\nSource: Created by Kearney based upon review of reports available on Crystal Reports, the reporting module of FIMS.\n\n\n\n\n                                                        48\n                                                   UNCLASSIFIED\n\x0c                              UNCLASSIFIED\n\n\n\n                                                                                     Appendix D\n\n\n                                                UnitOO SIll"" Dqm1ment ofState\n                                                Bureau 0/\n                                                Bureau ofinternational\n                                                          International Security\n                                                                        Set;lUity,\n                                                 and Nonproliferation\n                                                 and Nonp roliferation\n\n                                                Washington., D.C.\n                                                Washington   D.C. 20510\n                                                                  10520\n\nUNCLASSIfIED\nUNCLASSIFIED                                    November 13, 2012\n                                                         13,2012\n\n\nINFORMATION\nINFORMATlON MEMORANDUM FOR HAROLD W. GEISEL (OIG)\n\nFROM:        ISN - Thomas M. countrym~\n\nSUBJECT: Draft Report on Audit a/Nonproliferation and Disarmament Fund\nSUBJECT:\n         Controls Over Contracting and Project\n                                       Projeci Management and integrity 0/\n                                                              Integrity of\n         FinanciallJala\n         Financial Data\n\n\n      1\n      I am wr iting to thank the OlG\n           writing               010 audit supervisors, and the audit contractor,\nKearney and Company for a thoughtful and well-researched examination of the\nNonproliferation and Disarmament Fund\'s (NDF) financial, program, project, and\ncontract management.\n         management I appreciate the audit team\'s professionalism\n                                                    professionalism,, knowledge,\nand objectivity and have re .... iewed carefully the specific steps that have been\n                          reviewed\nidentified to improve the NDF\'s\n                          NDFs management of a complex and hard to manage\nprogram. 1I concur with all\n                         allIS18 audit recommendations (specific comments\nattached). Over the next few months,l and my managers will work     work: with the NDF\nto put together an action plan to determine\n                                    detennine resource needs and then move to\ncomply with these recorrunendations.\n                    recommendations. As part of these efforts, the OIG   DIG will audit\nthe NDF annually starting in January 2014.\n\n       I appreciate the fact that the report acknowledged the NDF\'s progress. The\naudit highlighted many positive aspects ofNDF\'s contract, project, and financial\nmanagement. The audit\'s constructive recommendations will be addressed one  one\xc2\xad\xc2\xad\nby-one and implemented in a manner that produces a long-lasting positive effect\non the NDF operations.\n\n       For 18 years, the NDF has provided the Department of State with a unique\ncapability to take advantage of diplomatic nonproliferation and disarmament\n                                                                   disannament\nopportunities such as eliminating the nuclear weapons programs in Libya,\ndi smantling plutonium\ndismantling  plutoniwn production facilities\n                                    facil ities in North Korea, and destroying\nballistic missiles in numerous countries, etc. Often these rapid, first -responder\n\n\n\n                                  UNCLASSIFIED\n\n\n\n                                   49\n\n                              UNCLASSIFIED\n\x0c                            UNCLASSIFIED\n\n\n\n\n\n                                UNCLASSIFIED\n                                        2\n\nefforts are far removed from the embassies we rely upon to support programs\nabroad; in some cases, the NDF operates in countries where the United States has\nno diplomatic relations. The work is often complex, highly technical and involves\nrisk to our contractors. To keep this diplomatic tool effective and ensure\ncompliance with modem accountability standards, the NDF is committed to using,\n                                  business\nadapting and developing modem busine     ss tools.\n\n\nAttachment:\n      As stated.\n\n\n\n\n                                 UNCLASSIFIED\n\n\n\n\n                                 50\n\n                            UNCLASSIFIED\n\n\x0c           UNCLASSIFIED\n\n\n\n\n\n            2012 Audit of NDF\n\n\n\n     ISN Reply to DIG\n                  OIG Recommendations\n\n\n\n            November 9, 2012\n\n\n\n\n11\n\n\n\n\n                51\n\n           UNCLASSIFIED\n\n\x0c                                      UNCLASSIFIED\n\n\n\n\n\nNOE requened this audit in 2011\nNOr:                        ZOll after ita three-yeitr\n                                           three-year effort by contractor ellperts t o design systems to\n                                                                           experts to\nimprove the quality of NOr:\nImprove                NOE financial, contract, and proj\n                                                      project               and to assist\n                                                          ect management itnd       assin us In  complyins\n                                                                                              in complyin8\nwith the 2009\n         ZOO9 NDF\n              NOF audit.\n\nNOF appreciates the compr\n                     comprehens    ive audit conducted by Kearney\n                            ehensive                      kearney and agrees, for the mon     part. with all\n                                                                                        most part,\nIg\n18 DIG recommendations. The NOE will use this audit to continue to make improvements and elqland  elCpand its\nability to develop\n           deYelop and standardile\n                       standardil:e recommended procedures using NOF\'s\n                                                                     NOE\'s Intern al Financiallnformation\n                                                                           Internal  Financiallnlormation\n                      (ElMS) or, jf\nManagement System (fIMS)         if necessary, adopt more cost effectiYe\n                                                               effective approaches that\n                                                                                      thilt better meet our\nneeds.\n\n               ZOlO, NOF\nIn September 2010,   NOE formed a Requirements Management Team (RMT) to Integra  Integratete internal\nrecommendations from three areas: financial,\n                                       financial. contract, and project management.\n                                                                        mana8ement. The RMT will wlU susgest\n                                                                                                     suggest\npolJcies\npol icies and procedures 10\n                         to the NDF\n                                NOE Director that are consistent with Department of State standards ilnd and\nIndustry best practices to support all OIG audit recommendations\n                                                   recommendations.. The NOF\'s  soal 15\n                                                                          NDE\'s 80af is to Implement\n                                                                                           implement as\nmany Improvements as possible In an orderly and cost\xc2\xb7effective fashion.\n\n\n\n\nFjndjnl\nFindin. A.       NOE COnt@ctin!!:ProwssControlsAreinPlacebutNeed\n                     COnt@ctingPnxnsControlsArtlnPlacebutNeed Improvement.\n\nRecommendation 1: OIG recommends that the Nonproliferation and Disarmament Fund (NOE)     (NOF) develop\nand Implement ita standardized procedure to help ensure complian\n                                                        compliance\n                                                                 ce with contract initiation and\nmodificati on documentation and approval requirements\nmodification                              requirements..\n\nISH/NOF Response:\nISN/NOE  Response : Concu\n                       Conwrr . NOF\n                                NOE prepared a checklist to ensure that procurement request packages\ncontain all the\n            t he required documentation\n                          documentation.. We will be working with the Requirements Management Team\n(RMT)\n(RMn to provide and organize an approp\n                                    approprr iate electroni\n                                                  electronicC storase\n                                                              storage location for samples of the various\ndocuments used in contract initiation and modification.\n\nRKOmmend~ion 2: OIG\nRecommendation       OIG recommends that the Nonproliferation and Disarmament Fund improve the\ninvoice approval process to ensur\nInvoice                      ensuree that project managers receive and malntlin\n                                                                           maintain the appropriate\ndocument<ltion\n  ocumentation to support\n                   suppon their\n                           t heir certification\n                                  certlflcation of the receipt\n                                                       re<:elpt of goods or services.\n                                                                            services.\n\nlSN/NOF Response: Concur. NOF will\nISN/NOF                       witt review the process we now\n                                                         flOW use to certify and establish standards\nfor document retention.\n             retention .\n\nRecommendatlon\nRecommendation 3: OIG re<ommendsrecommends t hat the Nonproliferation\n                                                      Nonprotlferatlon and Disarmament Fund develop an\ninternal\nin   te rnal process\n             pr ocess to review unliquidated obligations on a periodic basis and to validate the quarterly list\n                                                                                                           li st\nof unliquidated obligations\n                     ob!1giltlons provided by the Bureau of COmptroller\n                                                            Comptroller and Global Financial Servicices\n                                                                                                     es (CGFS)\nil\'l\n  n a timely manner.\n\nISN/NDF    Response:: Concur. As an enhancement to NOE\'s Internal Financial Information Management\nISN/NOF Response                                                                                Mana8ement\nSystem (FIM                                            obtlgations (UlOs) grouped by NOF\n              S),, a CGFS report of all unliquidated obligations\n         (ElMS)                                                                         NOE project will be\nautomatic<lily\nautomatically run each month and sent to NOF Finance users and th         thee appropriate NDF\n                                                                                           NOF project managers\n                                                                                                        managers..\nThe NOF\n     NOE Comptr\n            omptro  oller wltl\n                          will provide a pol icy m emo describi ng the i nternal NOE UlO review proc\n                                                                                                 process\n                                                                                                      ess. The\nNDF\nNOE will update the NOF Project Management Guide to includ e imp!ementins\n                                                                       implementing i nstructions to the NOF\nstaff In\n      in order to validat\n                    validatee the quarterly list of UlOs.\n\n2\n\n\n\n\n                                           52\n\n                                      UNCLASSIFIED\n\n\x0c                                       UNCLASSIFIED\n\n\n\n\n\n  ecommendation\nRecomme ndation 4: OIG\n                     DIG recommends Ihallhe                             Dis~rm amenl Fund develop and\n                                        that the Nonproliferation and Disarmament\nimplement a forma\n            formall process to close oul contlOlcts In a timely manner.\n                                     out contlClcts\n\nISN/NDF Response: Concur. KearnI!\'(\n                                  umey observed t hat the current NDENDF Contract Management Handbook\nfor ContlClcting\n    Conlr.lctinl Officers\n                 Officers\'\' Representatives (eORs)\n                                             (CORs) conta ins a description of the processes used to close\n                                                    contains\nlarle contracts, contracts\nlarge                               uslnl simplified acquisition procedures, and contracts for\n                  contlClcts Issued using                                                     fo r personal\nservi ces.. NDE\nservices    NDF CaRs\n                CORs are using these processes whewhenn contracts for which they are responsible become\ncomplete\ncomplete.. We are workinl\n                    working with the RMT to provide and organ      ize an appro\n                                                             organize           priate electronic storale\n                                                                          appropriate               storage\nlocation for samples of the various contr.lct   doseout documents\n                                      contfilct closeout documents.. NOFNDf will work with the office of\nAcquis\nAcquisitions             d~elop standard tim@framesforNDFCORstop\n        itions (AQM) to develop             tlmeframes for NDF CCRs to present     contract closeout\n                                                                            resentcontractcloseout\n                  packages to the AQM Contracting Officer (CO) to Impro\ndocumentation packages                                                       ve timeliness.\n                                                                       Improve\n\nRecomme nd ndatio n S: OIG\n              ation    DIG recommends that the Nonproliferation and Disarmament Fund develop a\nprocess to formally document the projects for wh   ich the - notwithstanding authority" is\n                                                 which                                  Is used, Including\nwhen It Is invoked to ov erride portions of the FedelCll\n                       override                 Federal Acquisition Regulation.\n                                                                    Regulation.\n\nISN/NDFResponse:\nISN/NDF   Response: NDF alr  eady documents all requests to re\n                          already                               rely\n                                                                  ly on - notwithstanding authority" 10to\n                               U.s. law in\novercome restrictions under U.S.        In providing assistance for NDF\n                                                                      NOF projects\n                                                                            protects In\n                                                                                     in decision memotimda\n                                                                                                 memorimda\napproved by the Under Secrelary\n                        Secretary for International5ecurity\n                                        International Security Affa  irs (UIS T),\n                                                               Affairs        T). which are cleared with the\nOffice of the legal\n              lela! Advisor (L),\n                            (l), and notifies Congress of any intent\n                                                               intenl to rely on - notwithstanding authority"\nwhen funds for NDF projects are notified.\n\n\n\n        MANAGEMENT\nPROJECT MANAGEMENT\n\nFind jnl B\nf indin.     ontrols oyer pProlect\n         D.TContr           roJect Ma\n                                   Managllment Needd Imp\n                                      nagement Nee   Im pro\n                                                         roye me n t\n                                                            veme\n\nRecommendOition\nRecommend~tlon 6: OIG\n                   DIG recommends that the NonproliferaUon\n                                            NonproliferOition .nd  Disarmament Fund identify key\n                                                               and Oisarmament\npmject             control~ and implement\nproject management controls     Implement a policy to require compliance with these key cont rols.\n                                                                                        controls.\n\n                          NDF will Id\nISN/NDF Response: Concur. NOF      Ideentify key project management controls and recommend a\ncompliance policy.\n           policy.\n\n tcammendation\nRecommen   dation 1:   DIG recommends that the Nonproliferation ilnd\n                   7: OIG                                           and Disa\n                                                                        Disarmament\n                                                                             rmament Fund develop and\n                    resardingthe\nimplement policies regarding  the use of the FIMS for project mamanal ement and\n                                                                   nagement   and,, to the extent\n                                                                                           exte"t possible,\nadd conlrols\n    controls 10       thaI require the compl el\n             to FIMS that                       ion of key fields.\n                                             etion\n\nISN/NDF Response:\nISN/NOF    Response: Concur. Some key fields have been identified already. For example, add             ingg ;lann\n                                                                                                    addin\nilut omated contract\nautomated      contlClct expiration dale\n                                     date warning email generated by FIMS  flMS 90 days\n                                                                                   dilYS prior 10\n                                                                                               to contract\nexpiration allows\n              allow s the program manager to take timely action to e iither begill\n                                                                                begin closing out the contrac\n                                                                                                       contractt or\npreepparing iIa request to extend the contract. As an enhancement to FIMS, more formal project\npr\nmanagement controls Ife    Bre possible and NDF wilwilll determine wh                                    t~ process.\n                                                                      .. t controls might add value to tM:\n                                                                   whilt\n           wUl Identify any ..additional\nThe RMT will                   dd itiOnal key fields\n                                              rrelds and\n                                                     alld controls needed and will milke\n                                                                                      make a recommendation\n                                                                                              recommend.tion to\nthe NDF Director.\n\n  ilcommendation 8g :; OIG recommends that the Nonprolife ration and Disarmament Fund identify the\nRecommendation\nkey project management ..activities\n                             ctivities for NDF projects\n                                               protects and deve lop a plan to modify FIMS capabilities to\n                                                            develop\nsupport these activities.. If NDF determines that it would not b@,costeffectiveto\n              activities                                         be cost effective to upgrade\n                                                                                      uPlrade FtMS,\n                                                                                              FIMS, NDF\n\n,\n3\n\n\n\n\n                                            53\n\n                                       UNCLASSIFIED\n\n\x0c                                        UNCLASSIFIED\n\n\n\n\n\nshould develop ilOd  implement\n               and Imple  ment aao formll\n                                   formal process\n                                          procen to perform and\n                                                            aond document\n                                                                 dOC\\Jment these key project\nmanaogement Ictivlt\nmilnasement  activities\n                    les outside of FIMS.\n\nNDF ReipOnse:\n      Response: Paortlally\n                  Partliilily Concur\n                              Concur.. NDF designs    negot~tes, and oversees execution of d lplomltlc\n                                            deSigns,, Msotliiltes,                                  iplomatic\nprOl~ms In the field of nonprolife~lion,\nprograms                     nonprolifer.Jtion, but detailed project mlnlg\n                                                                       management           defi~ by the Project\n                                                                                ement (as defined\n                                                   implementing entity, which may be a\nMilnlgement Institute), is carried out by the implementins\nManagement                                                                                     foreign\n                                                                                             I fore ign government,\ncont~ctor and/or\ncontractor   aondlor an International or&anization.\n                                        organization. These entities maintain\n                                                                         mllntlln schedules, worll      breakdown\n                                                                                                 work breaokdown\nstt1Jcture (waS), and other project management lools\nstructure (WBS),                                               IS appropr\n                                                        tools as           ia te. For example, foreign\n                                                                  appropriate.\n               recelvins NDF assistance often do the destruction work at\ngovernments receiving                                                                             MOlIn Destruction\n                                                                                 It Weapons of Mass\n(WMD) desianated\n         designated lrels\n                      areas o r WMD delivery system shes; sites; on nuclear\n                                                                     nuclelr related pro   jects, Oepanment\n                                                                                       projects,  Department of\nEnergy (DOE) nationallabol1ltories\nEntrgy         national laboratories ohenoften serve as  the Project Management\n                                                      il5the                           O\'lanllation (PMO); and on\n                                                                       Milnasemenl Organization\nChemical Weapons (CW) elimin  elimination\n                                    ation projects, large contractors wi with   sophisticated\n                                                                            t h sop hlsticlted chemica\n                                                                                                chemicall and\nindustrial\nIndustrial e ngin eering pedigrees\n             ngineering    pedlsrees manage\n                                      manase the projects with the U.S. Department of Defense {DoD) most\nlikely to serve as\n                n the PMO of recorrecordd. That being Qid,         NDF concurs In the need to document key\n                                                        said, the NOF\nproject,  prOS~m, and portfolio manag\npro}ect. program,                            ement activities and to exercise due dillsence\n                                     management                                        diligence in  examining\n                                                                                                  In examlnlns\nre levant workflows and documentation requirements and set cost effective and practical\nrelevant                                                                                     p~ctic.al\nstandards\nstandards.. The RMT has been tasked with identifying Ihe      the relevant\n                                                                   releYllnt workflow and documentation\nrequirements, making\n                 makinJ recommendations\n                           recomml!\'ndatlons and determining polential\n                                                                    potential costs.\n\nRecommendation                              Nonprollfe~tion and\nRecommendnlon 9: OIG recommends that the Nonproliferation    Ind Disarmament Fund develop and\nimplement procedures to ensure that doC1Jmentatlon\n                                    documentation maintenance\n                                                   mlintenance and retention policies are follo~\n                                                                                      Ire follow ed\ncon sistently..\nconsistently\n\n[SN/NDF  Respon~:: Concur. NOF\nISN/NDF Response              NDF will build upon the documents "NDF Document Management\n                                                                                  Management"\xc2\xb7\nluldellnes and\nguidelines     " Results From Project Managers\n           Ind "Results                            Survey On Contract\n                                      Millnage~ Sul"\'ieY     ConlrKl Management\n                                                                      MiIIMgement File StOfage,"\n                                                                                       Storage; within\nthe RMT, to determint\n            determine appropriate policies\n                                    polities and\n                                             ilnc:! procedures.\n\nRKommendation 10: DIG\nRecommendation          OIG recommen\n                             recommends ds that\n                                           thlt the\n                                                 tnt Nonproliferation\n                                                     Nonprolife,.,tlon and\n                                                                       ind Dis.armament\n                                                                            Disarmament Fund develop aiI\nstandard tlmeframe for closing\n                         closi08 out projects\n                                     projeca and implement\n                                                   Implement a policy to10 ensu re stillndlrd\n                                                                           ensure  standard timeframes\n                                                                                              t imemmes for\nproject clo~\n        close outs are\n                   ,ue met or the reaso         delays documented.\n                                        ns for delay,;\n                                  reasons\n\nISN/NDF Response: Concur with comment. NOF        NDF will establish a policy to include\n                                                                                  Include aI tlmeline to closeout\n                                                                                                         cioseout\nNDF projects and return remaining funds to the NOF     NDF account.\n                                                            ICcount. The total number of active\n                                                                                             Ictive projects\nreferen ced in\nreferenced    In the\n                  tht! DIG\n                       OIG report iIncludes\n                                    ncludes administrative\n                                            admlnistntiYe funds,\n                                                             funds, which are\n                                                                           Ire funds that are set as ide\nspedficillly\nspecifICa lly forthe    ope~tion of the NDF and\n              for the oper.ltion              ilnd are not project\n                                                            pro}ect funds . Attached   for reference IIs Chart A.\n                                                                             AUiched for\n                            sts the NDF\' s 33 currently\nActive Projects, which lilists                cUfl\'ently active projects. Below are three specific\n                                                                                              spedfic page\nreferences in In the OIG report that n eed to be changed\n                                                   changed::\n\nPillit\nPOise Ii:\n       6: "At\n           "AllfIfo time of th is audit,\n               the time           oudit. there\n                                         theft were  46 active\n                                               were 46    octlw: projects,funded/or     approximately $323\n                                                                 projects, funded fCW\'opprtNIimottly    $323 milliOll,\n                                                                                                              miflioo,\nand\nond 43    projects in the\n     43/Xojrcts       tflfo closeou\n                            doseoutt phose,\n                                      phose, funded for\n                                                     fOl\' opproximotely           million. Of 46\n                                                                           $105 million.\n                                                          opproJ(/motety $J05                 46 octive\n                                                                                                 OCIive projects, 34\n                                                                                                                  34\nwere   country-sped[/C projms\nwefe country\xc2\xb7specific       projects ond 12 were far\n                                                  fCW\' odministrative\n                                                       odminislrativr task\n                                                                        tOSKs,\n                                                                             S, such as\n                                                                                      os FIM5\n                                                                                         FIMS development\n                                                                                               devrlopment and\n                                                                                                             ond\nmaintenance.\xc2\xb7\nmointenonce.\xc2\xb7 ISN/NOF\n                    tSN/NDF Comment: Per Chart A         (attached), there are 33 active projects. There are 42\n                                                       A (attached),                                              42\n                     phase, as shown\nprojects In closeout phase,    shown In Chart C (attached).\n                                                (attacntd), Closing\n                                                            Closinl Projects\n                                                                    Profects -\xc2\xb7 Financial Review Complete.\n                                                                                                 Completl!\'.\n\nPage  22: "However,\nPas. 22    "~W:f, theretherr were still\n                                    still projects,\n                                          projects, both country\xc2\xb7speciflC\n                                                         c(J(Jnrry-sp\xc2\xablfic ond\n                                                                           ond admin  istrative, inappropriotely\n                                                                               odmlnlJtrotive,   inoppropriotety\nldenll[ted as\nidentified os \xc2\xb7octive\n              "OCIive"" in\n                         in FIMS."\n                            FIMS.\xc2\xb7 ISN/NDF\n                                   I5N/NDF Comment:\n                                               Comment: This\n                                                          This statement needs\n                                                                            needs to           Idminlst~tiye\n                                                                                  to exclude administrative\nfunds.\nfunds.\n\n\n\n\n44\n\n\n\n\n                                             54\n\n                                        UNCLASSIFIED\n\n\x0c                                          UNCLASSIFIED\n\n\n\n\n\nOn pag\n   paaee 36: Table 1 sta tes that there are\n                     states             art 46 active projects\n                                                      projects.. ISN / NOF Comment:\n                                                                 ISN/NOF                       A. there are\n                                                                                    Perr Chart A,\n                                                                           COmment: Pe\n33 active projects..\n   KtiYe projects\n\n\n\nFINANCIAL MANAGEMENT\n\n\nRndln. C. Data\nFlndlnR   Dilla Integrity\n                Inturftv and\n                          lind Reportlnl Cf pabiliti es Need\n                                         ClAabjljtin         Improvement to Produce\n                                                        N"d ImArpyement              Audl~bl,\n                                                                            Produte: AudlQbl.\nFinancial\nAnanclal Reports.\n\nRlcomm.ndatlon 11: OIG recommends that the Nonproliferation and\nRecommendiltlon                                                        Olnl;l Disarmament Fund Improve Its\npolicies and procedur es for r ecor\n             procedures                                  e~penses iIn the FinBnclill\n                               eco rding obligations and e)(penses         Financial and In fo rmation\n                                                                                         Information\nManagement Syslems\n              Systems (ElMS),\n                       (FIMS). by developing, at a minimum:\n\n     Oariflcation on the documentation\n     Clarification       dorumentation required to record\n                                                     ffiOrd in\n                                                            an obl1gation,\n                                                               obligation, especially miscellaneous\n                                                                                      misceUanl!Ous\n         obligations.\n     Instn.Jctions\n     Instructions on the proper uuse                ~f1aB.-\n                                  ~ of the estimate -flal."\n     A                                                              e~pense transaction and its\n     A standard for an acceptable t ime between the approval of an e)(pense                    hs entry into\n         FIM\n          FIMSS.\n\nISN /NDF Response:\nISH/NOF   Response: COncur,            comment.. Timeliness Is\n                       Concur, with comment                      15 a major   Issue. The requirement\n                                                                       ma)or issue.          equ ireme nt fo  forr\ndocumentation before obligations\ndoalmentation              obliBations are estib\n                                            established\n                                                   lished has always existed iIn NDF.         lAAs, MOUs, MOAs, MOOs,\n                                                                                       NOF. IAAs,                    MODs,\ntravel              contract statements of work\nItavel orders, and contnlct                     wort that\n                                                       thit include\n                                                             Include fitlmated\n                                                                       estimated spendlrc\n                                                                                     spending for the work normally\nshould not be iIa problem. The problem occurs with Miscellaneous\n                                                            Ml5cenaDeOus Ob        ligations (M9) documentation,\n                                                                               Obligations\nemail printing\n       priMing and\n                Ind filing.\n                     filing. Dep  ending on the age 01\n                              Dependi",                 of the sample data,\n                                                                         diltil, staffing\n                                                                                 statnrc levels, and Ind urgency of\nreaction, ke eping\n          keep  inc the program\n                          progrotm moving\n                                    movlllll may have taken precedence over Imm        Immedediately\n                                                                                                ll tely printing\n                                                                                                        printina and filing\nemilil\nemail backup for M9 obligation\n                         obJ1g;Jtion transactions. This creates the elKtronic\n                                                                         electronic versus paper~per trail\n                                                                                                        trotll\ndocumentation\ndocum.ntation problem. However, more recent years\'               flies should show slAnlflc.ant\n                                                         yeilrs\' files                  significant iImprovement\n                                                                                                       mprovement in M9\ntransactions\nt(lnuctions documentation. A       A checklist for\n                                               lor obligation supportlns\n                                                                 supporting documentltion\n                                                                               documentation,, including M9, w ill be\nadded to the Project\n               Profett Manager Users Guide.\n\nObligation\nObllcatlon numbers are gene    rated by FIMS and are us\n                          generated                      ed to establish oblilations\n                                                       used              obligations into\n                                                                                     Into Ariba, E2   Solutions\n                                                                                                   \xc2\xa32Solutions\nInd GFMS. The obligations\nand               oblialtions generated               proce~d as estimates since there is\n                              genenlted by FIMS are processed                                Is a poss\n                                                                                                  posslbflity\n                                                                                                       ibility\nthat the amount of the obligation entered\n                                     entered In FIMS will change.\n                                                          (hance. FIMS w ill not allow the\n                                                                                        t!\'le record ing of an\n                                                                                              recording\nexpense without removing\n                   removinl th e flag for estimates. In the requirement\n                             the                            requIrement to rem   ove the estimate\n                                                                             remove        emmite flag\nbefore expenditures\n        e)(pendltures can be recorded\n                              rfiorded to the obligations is\n                                                           Is an\n                                                              In Inh erent reminder to verify that the\n                                                                 Inherent\nobllgltlon in\nobligation  In FIMS agrees\n                    .grees with\n                            with the Department\'s Financial System before rremoving\n                                                                               emovlns the estimated flag.\n\nRegarding the\n            the standard for an In acceptable time between an    In e~pense\n                                                                    ueense transaction and its its entry Into\n                                                                                                          In to ElMS,\n                                                                                                                FIMS,\ne~p-ense\nupense transactions\n          tra nsactions (invoices) are\n                                    are processed and approved in     in NOF\n                                                                         NDF are recorded\n                                                                                  recorded Immediately\n                                                                                           ImmedIa tely intoInto FIMS.\n                   known e~pense\nGenerally, other known       expense transactions should be entered into  Into FIMS weekly.\n                                                                                     weekly. Delays\n                                                                                             Delays occur\n                                                                                                      oc.cur due to\nstaff\nstaff shortage\n      shortage andnd workload\n                     wortload prior   ities. Personal Service (PSC) contract payments are\n                                 priorities.                                              ilre processed\n                                                                                               processed by the\npayroll Inteliace.\n        Interface. NDE\n                    NOF fin   ance doe\n                           finance duess n ot have authori zat ion to review th\n                                                   authorization                 em before they\n                                                                               them         they gogo to GFMS\n                                                                                                         GFMS.. W We\nplan\nplan to build a tool\n                 tool t oo comp are GFMS and\n                           compare          and FIMS, when\n                                                      when and\n                                                             Ind ifif GFMS downloads areare available.\n                                                                                             available.\n\nPolicies     procedures for recording\nPolicies and procedures                  obligations and e~penses\n                              re<:ording obligations      expeOSH in In the FIMS\n                                                                            FIMS exist now. However,\n                                                                                             However, the\n                                                                                                      the\nprocedures for the\n                 the removal\n                     removal of\n                              of the\n                                 the - estimated flag" are nOllnclud   ed in the\n                                                            not Included     the FIMS\n                                                                                 FIMS Quid\n                                                                                       Quick Reference Guide\n                                                                                                       Guide\nof\nof 2008.\n   2008. The\n          The eestimited\n                stimated flag\n                         flig process\n                              process is being\n                                          beIng added\n                                                added in\n                                                       In the\n                                                          the Guide\'s   update. As\n                                                              Guide\'s update.    As an\n                                                                                    In enhancement\n                                                                                       enhancement toto FIMS,\n                                                                                                        FlMS,\n\n\n\n55\n\n\n\n\n                                               55\n\n                                          UNCLASSIFIED\n\n\x0c                                        UNCLASSIFIED\n\n\n\n\n\n                                                                         e~plore adding "as of\'\nautomated periodic reconciliation processes can be developed. NDF should explore\nfunctionaUtles. We plan to advertis\nfunctionalities.           advertisee to fill\n                                         fiU th\n                                              the\n                                                e vacant FrE.\n                                                         FTE.\n\nRecommendation 12: OIG recommends that the Nonp    Nonprroliferation and Disarmament Fund develop and\nimplement policies and procedu\n                        rocedurres\n                                 es for reconciling financia\n                                                    financiall data in the FIMS to the financial data in the\nGFMS on a periodic basis, including requirements for documenting and reviewing the reconciliation.\n\nISN/NDF Response\n          Response:: Concu\n                      Concurr . NDF agrees it should Improve\n                                                      improve the\n                                                               t he reconciliation process before th thee final\nproject closeout. The re  view and reconciliation usually occur on active projects when the program\n                        review\nmanagers request\n            equest a project Detail Report from the program managers\' assigned finance officer.\nHowever, NDF has not been at full staff levels since 2009 . During this audit there was only one full time\nfinance offker\n        offICer in place out of the three full time positions in the NDF. That\n                                                                          Th at one full time financ\n                                                                                               financee officer\nprovides financial services to eight program managers. Once the staff levels are in place,\n                                                                                        pl ace, permanent\nstaff members will be assigned to each program manager and the routine reconciliation process will\nresume. For now, reconciliation between GFMS and FIMS is a manual process subject to priorities pri orities of\nworkload.\n\n                                                                       eKpenditures) could be greatly\nThe reconciliation process and transaction integrity (obligation and expenditures)\nenhanced with downloads from GFMS that would help facilitate the accuracy of information in F1MS to\nGFMS. As an enhancement to FIMS, automated periodic reconciliation\n                                                            reconCiliation processes will be explored by the\nNDF.\n    Addressing staff shortfalls to focus on reconciliation process of GfMS and FIMS\n                                                                                 flMS\n\n    Use GFMS reports along with the FIMS obligation reports. NDF is in the proc\n                                                                           process\n                                                                                ess of developing a\n        reconciliation process.\n                       prOCf!5$.\n\n    NDF plans to incorporate the OIG recommendation process received 10/18/2012 into the\n       reconciliation\n       ff:!conciliation process.\n\nRecommendation 13: OIG recommends\n                             rec.ommends that the Nonproliferation and Disarmament Fund develop\npoliCies\npolicies regarding the responsibility of NDF\n                                         NOF in the contracting process when donated funds are  afe used.\nAdditionally, NDF should modify FlMS\n                                   FIMS so that donated funds are tracked separately, which would\ninclude the capability to link obligations to specific sources of funding instead of to the project as a\nInclude\nwhole.\n\nISN/NDF Response: Concur, with comments. NDF only receives donor funds on a project\n                                                                                project--specific basis,\nand each project will have unique contractual requirements. Therefore, NDF will coordinate with AQM,\nRM, L.                                                                      mod~litles .\n    L, and donor governments on a case-by-case basis to develop appropriate modalities.\n\nDonated funds are tracked separately in both GFM5 and FIM5. While GFMS does use one Fund 5Vmbol       Symbol\n(1075.0               LimitationH) to identify all donated funds, it uses Allotment and Operating Allowance\n(107S.0 or HPoint D Umitation   N\n                                    )\n\n\n\ncodes to Identify\n          identify the donor nation and the recipient\n                                              rec.ipient nation, respectively. FIMS maintains th\n                                                                                              this\n                                                                                                 is level of\ndetail as well\n          wel l and includes the capability to link obligations directly to these funds. Procedures will be\nadded to the FIMS Quick Reference Guide. Donated funds reports are being enhanced and developed in\n                                      e~penditures, and available balances from the projects.\nFIMS to include funds, obligations, expenditures,\n\nRecommendation 14 14:: OIG recommends that the Nonproliferation and Disarmament Fund identify end\xc2\xad end\xc2\xb7\nusers reporting needs and modify FI MS to meet the reporting needs identified. If NDF determines tha\n                                                                                                  thatt it\nwould not be cost-effective to modify FIMS to address certain end-user report\n                                                                       reportii ng needs, NOF should\n\n\n6\n\n\n\n\n                                             56\n\n                                        UNCLASSIFIED\n\n\x0c                                     UNCLASSIFIED\n\n\n\n\n\ndocument the rationale for making\n                           makln8 this decision and deve\n                                                    develop\n                                                         lop a formal process for manually prepar\n                                                                                           preparing\n                                                                                                  ing\nthe required reports.\n\nISN/NDF Response: Concur. NDF agrees to develop a plan to Identify\n                                                                identify end-user reporting needs. NDF\ncan run reports as of a point in time. NDF can run extra reports to track history. The reports for donor\nnations are available in FIMS in regard to identifying donated funds, to which NDF projects they have\nbeen applied, and for whi\n                       whicch obligations and expenditures have been used. Project manager(s) produce\nproject progress and overview reports, and these reports are not expected to be produced directly from\nFIMS. These reports are to be scanned into FIMS and tagged to the appropriate project. Modifying\nFIMS to meet the reporting\n                  reportlns needs will take longer.\n                                             lonSer.\n\nRecommendation 15:\n                 lS: DIG recommends that the Nonproliferation aAd\n                                                              and Disarmament Fund prepare a\ncomprehensive system security plan for the FIMS.\n\nISN/NDF Response: COncur\n                     COncur.. NDF Is\n                                   is current working\n                                              wori<.inS on the accreditation and certification process as\noutlined in Federal Information Processing\n                                 Processins Standard (FIPS)\n                                                        (FIPSj 197. The CUrTent\n                                                                        current contract for FlMS\n                                                                                             FIMS services Is\n                                                                                                           is\nIn the process of being modified to add funding for the system security plan. NDF currently has h as an IT\ncontract that Includes\n              includes a provision for a contingency\n                                         continSency plan in FIMS.\n                                                               F1MS. The architectural layout for the\nreconstitution of data is underway.\n\nRecommendation 16: lEi: DIG\n                        OIG recommends that the Nonproliferation and Disarmament Fund review the\npermissions of all FIMS users and\n                               aAd verify that their access privlleSes\n                                                            privileges are conSistent\n                                                                           consistent with their job\nfunctions and responsibilities.\n\nISN/NDF Response: Concur.\n\nRecommendation 17: DIG OIG recommends that the Nonproliferation and Disarmament Fund assess its\n         chanse control process for FIMS and determ\ncurrent change                               determine\n                                                    ine If\n                                                        if add\n                                                           addition\n                                                               itional\n                                                                    al reviews or testing\n                                                                                  testins changes\n                                                                                          chanSes are\nrequ ired.\nrequired.\n\nISN/NDF Response: Concur.\n\nRecommendation 18: DIG recommends that the Nonproliferation and Disarmament Fund\n                                                                            fund fina li\n                                                                                      lize\n                                                                                         ze and\nimplement its contingency plan for FlM S.\n\n                    Con~ur. NDF will develop a current contingency plan.\nISN/NDF Response: Concur.                                           pl~n . This is included in the current\n                                                                                          ~pplication\ncontract. The Disaster Recovery and Data Backup services provided by SalesForce as the application\nplatform for FIMS has been shown to satisfy NIST standards in regards\n                                                              resards to the prevention of loss of data.\nThe FIMS Contin\n          Contingency\n                gency Plan bui\n                           builds\n                               lds on these services to document continu\n                                                                 continuity\n                                                                         ity operations procedures for\nrecovery of NDf\n            NDF processes.\n\n\n\n\n7\n\n\n\n\n                                          57\n\n                                     UNCLASSIFIED\n\n\x0c       UNCLASSIFIED\n\n\n\n\n\n FRAUD, WASTE, ABUSE,\n\n OR MISMANAGEMENT\n\nOF FEDERAL PROGRAMS\n\n   HURTS EVERYONE.\n\n\n          CONTACT THE\n\n  OFFICE OF INSPECTOR GENERAL\n\n             HOTLINE\n\n       TO REPORT ILLEGAL\n\n    OR WASTEFUL ACTIVITIES:\n\n\n\n         202-647-3320\n\n         800-409-9926\n\n      oighotline@state.gov\n\n          oig.state.gov\n\n\n   Office of Inspector General\n\n    U.S. Department of State\n\n         P.O. Box 9778\n\n     Arlington, VA 22219\n\n\n\n\n\n       UNCLASSIFIED\n\n\x0cUNCLASSIFIED\n\n\n\n\n\nUNCLASSIFIED\n\n\x0c'